[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Google Chrome Silent HTTP Authentication
# Published : 2013-02-11
# Author :
# Previous Title : MySQL (Linux) Heap Based Overrun PoC Zeroday
# Next Title : DIMIN Viewer 5.4.0 Crash PoC

# Exploit Title: [Google Chrome Silent HTTP Authentication]
# Date: [2-5-2013]
# Exploit Author: [T355]
# Vendor Homepage: [http://www.google.com/chrome]
# Version: [24.0.1312.57]
# Tested on: [Tested on: Windows 7 & Mac OSX Mountain Lion]
# CVE : [n/a]

The latest version of Google Chrome (Tested on Version 24.0.1312.57)
fails to properly recognize HTTP Basic Authentication when injected in
various HTML tags. As a result of this behavior Chrome will not alert
the user when HTTP Basic Authentication is taking place or when
credentials are rejected. This behavior is particularly concerning
with respect to small office and home routers. Such devices are easily
brute forced using this method. Many of these devices have the default
password enabled which brings me to part II of this bug. Silent HTTP
Authentication allows the attacker to log into the router and change
settings with no alerts and or warnings issued by Chrome. The end
result allows an attacker to brute force the router login, connect to
the router, enable remote administration and of course control all
information on the entire network via DNS attacks etc.
I have attached the following files:

sploit.txt - Indicates the buggy code.
jquery.js - Used for real world scenario but not needed for bug.
brute.js - Real world attack scenario for this bug.
index.html - HTML Attack Page
attack.php - Payload file for Linksys Routers.

Chrome Version: [24.0.1312.57]
Operating System: [Tested on: Windows 7 & Mac OSX Mountain Lion]


The impact for this bug is enormous. Tens of millions of home routers
can easily be completely compromised. Distributed brute force attacks
can be performed on any HTTP Authentication portal.

Reference how Firefox and Safari handle the attached code.

PoC: http://www.exploit-db.com/sploits/24486.tar.gz