Saturday, February 14, 2015

Google Chrome Insecure DLL Loading Code Execution

Google Chrome tries to load cryptbase.dll by default from
C:\Program Files\Google\Chrome\Application\ but the dll is not part of the installation.
Chrome fails with DLL Not Found error.

If we copy any malicious DLL renamed as cryptbase.dll to C:\Program Files\Google\Chrome\Application\
Chrome will load and execute the DLL controlled by malicious user.

The source code which I used for building the DLL is at

Tested on
        Chrome 39.0.2171.95m (latest is also vulnerable)
        Windows 7 Ultimate N SP1

Reported to Google but they didn't consider it stating as Local exploit.