Google Chrome 'SaveAs' Function 'Title' Tag Buffer Overflow Vulnerability

Bugtraq ID:	31029
Class:	Boundary Condition Error
CVE:	CVE-2008-6994
Remote:	Yes
Local:	No
Published:	Sep 05 2008 12:00AM
Updated:	May 07 2015 05:24PM
Credit:	Le Duc Anh - SVRT - Bkis
Vulnerable:	Google Chrome 0.2.149 .27
Not Vulnerable:	Google Chrome 0.2.149 .29

Google Chrome 'SaveAs' Function 'Title' Tag Buffer Overflow Vulnerability

Google Chrome is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code in the context of the user running the application. Failed exploit attempts will likely result in a denial-of-service condition.

Google Chrome 0.2.149.27 is vulnerable.

Google Chrome 'SaveAs' Function 'Title' Tag Buffer Overflow Vulnerability

An attacker must convince an unsuspecting user to save a malicious web page by using the application's 'SaveAs' function.

The following example HTML code is available:

• /data/vulnerabilities/exploits/31029.html
• /data/vulnerabilities/exploits/31031.php

Google Chrome 'SaveAs' Function 'Title' Tag Buffer Overflow Vulnerability

Solution:
The vendor has addressed this issue in Chrome 0.2.149.29. Please see the references for more information.

Google Chrome 'SaveAs' Function 'Title' Tag Buffer Overflow Vulnerability

References:

• Google Chrome Homepage (Google)
  
• Google Chrome version 0.2.149.29 (Google)
  
• Google Chrome 0.2.149.27 'SaveAs' Function Buffer Overflow Vulnerability ("Security Vulnerability Research Team" )