Google Chrome has a vulnerability that could allow a remote attacker to gain root access to infected machines, a security researcher said in a blog post Tuesday.
The researcher said a “reverse-engineered” exploit could be exploited to remotely take control of affected machines by leveraging a security vulnerability in Chrome that allows remote attackers the ability to cause a denial of service to affected machines.
The vulnerability in the browser’s security model allows attackers to perform the following actions to gain remote system privileges:When a user opens a file with the “open” option enabled, the browser displays an alert that says, “This file might contain sensitive information, but it isn’t a valid URL.
Please be sure to read and accept the warning before opening this file.”
When the user closes the file, the “close” button appears to close the file.
When the user opens another file with a similar name, the alert displays a message saying, “You can’t open this file with this name because it is not a valid file name.
Please read the warning and accept it before opening the file.”
When that function is executed, it returns a value of false, which will cause the exploit to succeed.
The Chrome security model was first reported by security researcher Cory Brown in a research note published Tuesday on the InternetSecurity Research Group blog.
Google has not commented on the vulnerability publicly.
“The ‘file’ parameter is not an empty string, and it is the default for files on Chrome, so it’s easy to imagine a possible scenario where a user is attempting to open a file that doesn’t exist, and then this malicious file gets executed,” Brown wrote.
“However, since ‘file_name’ is the only parameter that’s available, the vulnerability only works if a user has the ‘file open’ option enabled in Chrome, which would be possible if the ‘open’ option was not enabled in the first place.”
Brown said the “regex’ functionality in the Chrome sandbox can be exploited if the attacker creates a string that contains the file name and then passes it to the “select” function.
The “select_file” function is the most vulnerable of the functions in Chrome’s sandbox, Brown wrote, because it’s the function that’s used to create files on the target machine.
When a file is selected, the file is displayed as a “new file” object and a prompt appears to indicate that the file has been opened.
But in the context of the Chrome security feature, the sandbox can’t create a new file, Brown noted.
When Chrome runs an action that allows a file to be opened, the user can click “OK” to accept the file opening.
The exploit will attempt to execute the “new” function, which is the function executed by the “Select File” action in the sandbox.
The new function will return the file object with the file path and a list of file names, but the file that’s being opened doesn’t have any of those file names.
Brown said that if the user tries to close a file without the “Close” button selected, a warning message appears in the page telling the user that the vulnerability has been discovered and that the browser won’t close the current file.”
The exploit will then return true to allow the user to proceed with the attack. “”
If the new “select-file” action is not found, the new file function will continue executing until a file has successfully been closed.
The exploit will then return true to allow the user to proceed with the attack. “