-
Notifications
You must be signed in to change notification settings - Fork 252
CVE 2013 2904
#####Use-after-free vulnerability in the Document::finishedParsing function in core/dom/Document.cpp in Blink, as used in Google Chrome before 29.0.1547.57, allows remote attackers to cause a denial of service or possibly have unspecified other impact via an onload event that changes an IFRAME element so that its src attribute is no longer an XML document, leading to unintended garbage collection of this document.#####
-
The fix commit for the vulnerability (a git hash)
- Fix Commit: f2119d8b8da9ee8c2e6b61cf16fce3a4c8a92717
- https://src.chromium.org/viewvc/blink?view=revision&revision=154680
-
The commit that introduced the vulnerability (a git hash)
- This file has existed since revision 4 and it is likely that the vulnerability has been present for a fair portion of that time. I was not able to find any reference of when it may have been introduced
-
A description of the coding mistake that led to the vulnerability
- Protect documents from deletion when their onload removes them When an XML document is the src of an iframe, and the onload method changes the src to something else, the XML document may be garbage collected before the original load is completed.
-
Who found it?
- cloudfuzzer, a Russian fuzz testing company
-
Who fixed it? (Try to get some information on people beyond their name and email)
- Stephen Chennney LinkedIn Google engineer and ex-professor at U Wisconson Madison
-
Is this code tested by automated tests?
- Chromium crowdsources their testing. I was unable to find concrete evidence of it being tested by developers, but it is possible.
-
Was it the same people who found it the ones who fixed it?
- no, cloudfuzzer is just a bounty hunting fuzz testing company, they did not propose a fix
-
What are the discussions like? Are people discussion requirements, design, security, compatibility, etc? The more you can tie their discussion into the software development process the better. And, again, give me dates and links to actual mailing list discussions. Are there any other linguistic features you notice about these discussions? (e.g. are people angry or polite? terse, or ranty? is there some jargon you notice?)
- The discussions involve developing a further understanding of the issue and what else may be impacted (ie. HTML as well or only XML). The discussions are fairly in-depth regarding technical language use and code samples
-
Was there a bounty awarded?
- yes- $1000 to cloudfuzzer
-
Any evidence of exploit? Was there a metasploit module made for it, or another exploit related to this (https://www.metasploit.com/).
- I was unable to find any evidence that this was exploited despite how it was seemingly vulnerable for a long time before Google was made aware. Metasploit contains 3 references to the vulnerability but there are no listed exploits.
-
Any mention of how it was found? Fuzzer? Manual?
- cloudfuzzer is the name of the company but also of the fuzz tester that was used to discover the vulnerability
-
Any other significant project-level development events happen during this time? (e.g. dump a related dependency, or change the design in some way)
- Chromium version 22 was released in mid June, about a month prior to its discovery. There should not have been any changes that would have affected the vulnerable file in this update, nor any files that would interact with the vulnerable file.