header-logo
Suggest Exploit
vendor:
Chrome
by:
T355
8,8
CVSS
HIGH
Silent HTTP Authentication
287
CWE
Product Name: Chrome
Affected Version From: 24.0.1312.57
Affected Version To: 24.0.1312.57
Patch Exists: No
Related CWE: n/a
CPE: a:google:chrome
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 7 & Mac OSX Mountain Lion
2013

Google Chrome Silent HTTP Authentication

The latest version of Google Chrome (Tested on Version 24.0.1312.57) fails to properly recognize HTTP Basic Authentication when injected in various HTML tags. As a result of this behavior Chrome will not alert the user when HTTP Basic Authentication is taking place or when credentials are rejected. This behavior is particularly concerning with respect to small office and home routers. Such devices are easily brute forced using this method. Many of these devices have the default password enabled which brings me to part II of this bug. Silent HTTP Authentication allows the attacker to log into the router and change settings with no alerts and or warnings issued by Chrome. The end result allows an attacker to brute force the router login, connect to the router, enable remote administration and of course control all information on the entire network via DNS attacks etc.

Mitigation:

Reference how Firefox and Safari handle the attached code.
Source

Exploit-DB raw data:

# Exploit Title: [Google Chrome Silent HTTP Authentication]
# Date: [2-5-2013]
# Exploit Author: [T355]
# Vendor Homepage: [http://www.google.com/chrome]
# Version: [24.0.1312.57]
# Tested on: [Tested on: Windows 7 & Mac OSX Mountain Lion]
# CVE : [n/a]

VULNERABILITY DETAILS
The latest version of Google Chrome (Tested on Version 24.0.1312.57)
fails to properly recognize HTTP Basic Authentication when injected in
various HTML tags. As a result of this behavior Chrome will not alert
the user when HTTP Basic Authentication is taking place or when
credentials are rejected. This behavior is particularly concerning
with respect to small office and home routers. Such devices are easily
brute forced using this method. Many of these devices have the default
password enabled which brings me to part II of this bug. Silent HTTP
Authentication allows the attacker to log into the router and change
settings with no alerts and or warnings issued by Chrome. The end
result allows an attacker to brute force the router login, connect to
the router, enable remote administration and of course control all
information on the entire network via DNS attacks etc.
REPRODUCTION CASE
I have attached the following files:

sploit.txt - Indicates the buggy code.
jquery.js - Used for real world scenario but not needed for bug.
brute.js - Real world attack scenario for this bug.
index.html - HTML Attack Page
attack.php - Payload file for Linksys Routers.

VERSION
Chrome Version: [24.0.1312.57]
Operating System: [Tested on: Windows 7 & Mac OSX Mountain Lion]

CREDIT
T355

IMPACT
The impact for this bug is enormous. Tens of millions of home routers
can easily be completely compromised. Distributed brute force attacks
can be performed on any HTTP Authentication portal.

RECOMMENDATIONS
Reference how Firefox and Safari handle the attached code.

PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/24486.tar.gz

Navigation

Suggest Exploit

Services By CQR