Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2010-0556 to a friend New vulnerability? New tool? Tell us	CVE-2010-0556 Google Chrome Password Manager Cross Origin Weakness     Credit: The information has been provided by Timothy D. Morgan. The original article can be found at: http://www.vsecurity.com/resources/advisory/20100215-1/ Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2010-0556 Details Check for CVE-2010-0556 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Google Chrome Web Browser 4.0.249.78  * Google Chrome Web Browser 3.0.195.38 As with many modern browsers, Google Chrome implements a password manager to help users keep track of credentials used on various web sites. It may be used to store either HTTP authentication credentials or form-based credentials. The vulnerability surfaces in a situation where a user visits a web page which includes an embedded object, such as an image, from a third-party site. If an attacker had control of the third-party web server, he could request credentials from the user via HTTP authentication. This style of attack has been documented in the past, and some of variations on this theme are explored in a recent paper by VSR. However, in the case of vulnerable versions of Google Chrome, the password manager may pre-fill the authentication dialog box with credentials intended for parent page's domain, leaving users one click away from account compromise. This issue would affect Chrome users which use applications that allow users to embed objects from third parties. Examples of such applications may include message boards, blogs, or social networking sites. The following steps may be used to reproduce the issue: 1. Set up an HTML page with the following contents:   <html><body>      <img src="http://evil.example.com/image.png" />    </body></html> This page should not be protected by any authentication and should be hosted at: http://victim.example.org/test-img.html 2. Set up an HTTP digest protected area under the following URL: http://victim.example.org/private/ 3. Set up the attacker's server to be protected by HTTP authentication such that the following URL is protected: http://evil.example.com/image.png 4. Use Google Chrome to log in to an area protected with HTTP authentication, such as: http://victim.example.org/private Save the password in the password manager. 5. Finally, access the unauthenticated HTML page on the victim's server: http://victim.example.org/test-img.html Since the embedded image requires authentication, a password prompt should appear. In vulnerable versions of Google Chrome, this form will be pre-filled with the stored credentials from the victim.example.org domain, even though the password prompt is generated by evil.example.com. Patch Availability: The fix is available at: http://src.chromium.org/viewvc/chrome?view=rev&revision=36829 CVE Information: CVE-2010-0556 Disclosure Timeline: 2010-01-20 Issue reported. 2010-02-10 Chrome stable version 4.0.249.89 released which includes the fix. 2010-02-15 Advisory released.  Comments on CVE-2010-0556:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®