In this post we are going to discuss a very simple, yet destructive vulnerability which has been recently found by web developer “Json Blatt”.
The vulnerability affects Chrome version 41 on Windows, Ubuntu and OS X platforms. Although there are mixed reports but still we are successful in testing this vulnerability using Chrome version 41.0.2272.118 m and Windows 7 Ultimate Edition.
This vulnerability is used to crash the Chrome browser by a long/malformed URL in content of a user-submitted post. The same can be achieved by adding in comments section of HTML page.
The developer confirms that only (http:// ) works instead of (https:// ) . Also, If we try to do same through (file:// ), it does not work as the crash only occurs when accessing the link through a webserver.
The exploit works since the Chrome version 41 tends to prefetch data for the links which are present inside a page. Whenever a page loads, all the URL’s present inside a page are processed and there is a DNS lookup of those domains so that they load faster if user clicks on them.
Lets replicate the issue by making a dummy page, hosting it on own server(XAMPP in our case!) and opening it in Chrome version 41 browser.
1. We made a PHP Comment page which has POST parameters namely Name, Email, Website, Comment, Gender. The page shows that there was a normal comment and the input is reflected back to the page.
2. Now, Lets enter a random long text in the <a href> tag inside comment section.
3. Click on Submit button and see what happens.
4. The crash happens successfully and the page is not accessible in Chrome. Lets test it in Firefox.
Therefore the vulnerability lies in Chrome source code for kMaxDnsHostnameLengthHostname and DNS name. Whenever a longer string is passed by the page renderer for hostname lookup component, the component gives an error when it compares hostname length with kMaxDnsHostnameLengthHostname. Therefore the “Aw Snap!” error occurs.
The fix has been carried out by Chrome for later versions 42,43 by restricting long hostnames to be passed for lookup.