How to crash Chrome Tab?? Aw, Snap! Vulnerability

In this post we are going to discuss a very simple, yet destructive vulnerability which has been recently found by web developer “Json Blatt”.

The vulnerability affects Chrome  version 41  on Windows, Ubuntu and OS X platforms. Although there are mixed reports but still we are successful in testing this vulnerability using Chrome version 41.0.2272.118 m and Windows 7 Ultimate Edition.

This vulnerability is used to crash the Chrome browser by a long/malformed URL in content of a user-submitted post. The same can be achieved by adding in comments section of HTML page.

The developer confirms that only (http:// ) works instead of (https:// ) . Also, If we try to do same through (file:// ), it does not work as the crash only occurs when accessing the link through a webserver.

The exploit works since the Chrome version 41 tends to prefetch data for the links which are present inside a page. Whenever a page loads, all the URL’s present inside a page are processed and there is a DNS lookup of those domains so that they load faster if user clicks on them.

Lets replicate the issue by making a dummy page, hosting it on own server(XAMPP in our case!) and opening it in Chrome version 41 browser.

1. We made a PHP Comment page which has POST parameters namely Name, Email, Website, Comment, Gender. The page shows that there was a normal comment and the input is reflected back to the page.

chrome awsnap bug1

2. Now, Lets enter a random long text in the <a href> tag inside comment section.

chrome awsnap bug2

3. Click on Submit button and see what happens.

chrome awsnap bug3

4. The crash happens successfully and the page is not accessible in Chrome. Lets test it in Firefox.

chrome awsnap bug4

Therefore the vulnerability lies in Chrome source code for kMaxDnsHostnameLengthHostname and DNS name. Whenever a longer string is passed by the page renderer for hostname lookup component, the  component gives an error when it compares hostname length with kMaxDnsHostnameLengthHostnameTherefore the “Aw Snap!” error occurs.

The fix has been carried out by Chrome for later versions 42,43 by restricting long hostnames to be passed for lookup.

You can test this vulnerability by clicking on this Reddit link or another link. (At your own risk!!)

We would love to hear from you..

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s