VUPEN Vulnerability Research Team discovered a critical vulnerability in Google Chrome. The vulnerability is caused by an input validation error within the "Clipboard::WriteData()" function that does not restrict the value of the "format" parameter, which could be exploited to escape Chrome's sandbox and achieve code execution with Medium integrity level. Google Chrome versions prior to 33.0.1750.154 are affected.
1e839c35cc0103dc89491b813b56882dd52230a8917c7b3e18e00a97251c90dd
VUPEN Security Research - Google Chrome Clipboard Format Processing
Sandbox Escape (Pwn2Own)
Website : http://www.vupen.com
Twitter : http://twitter.com/vupen
I. BACKGROUND
---------------------
"Google Chrome is a freeware web browser developed by Google. Chrome
version 28 and beyond uses the WebKit fork Blink. As of 2013,
StatCounter estimates that Google Chrome has a 39% worldwide usage
share of web browsers" (Wikipedia).
II. DESCRIPTION
---------------------
VUPEN Vulnerability Research Team discovered a critical vulnerability
in Google Chrome.
The vulnerability is caused by an input validation error within the
"Clipboard::WriteData()" function that does not restrict the value of
the "format" parameter, which could be exploited to escape Chrome's
sandbox and achieve code execution with Medium integrity level.
III. AFFECTED PRODUCTS
---------------------------
Google Chrome versions prior to 33.0.1750.154
IV. SOLUTION
----------------
Upgrade to Chrome version version 33.0.1750.154.
V. CREDIT
--------------
This vulnerability was discovered by VUPEN Security.
VI. ABOUT VUPEN Security
---------------------------
VUPEN is the leading provider of defensive and offensive cyber security
intelligence and advanced zero-day research. All VUPEN's vulnerability
intelligence results exclusively from its internal and in-house R&D
efforts conducted by its team of world-class researchers.
VUPEN Solutions: http://www.vupen.com/english/services/
VII. REFERENCES
----------------------
http://googlechromereleases.blogspot.com/2014/03/stable-channel-update_14.html
VIII. DISCLOSURE TIMELINE
-----------------------------
2013-12-19 - Vulnerability Discovered by VUPEN Security
2014-03-13 - Vulnerability Reported to Google/ZDI During Pwn2Own 2014
2014-03-14 - Vulnerability Fixed by Google
2014-03-26 - Public disclosure