Saturday, February 14, 2015

Google Chrome Insecure DLL Loading Code Execution

Google Chrome tries to load cryptbase.dll by default from
C:\Program Files\Google\Chrome\Application\ but the dll is not part of the installation.
Chrome fails with DLL Not Found error.

If we copy any malicious DLL renamed as cryptbase.dll to C:\Program Files\Google\Chrome\Application\
Chrome will load and execute the DLL controlled by malicious user.


The source code which I used for building the DLL is at
http://blog.disects.com/2014/08/dll-injection-executing-and-testing-dlls.html

Tested on
        Chrome 39.0.2171.95m (latest is also vulnerable)
        Windows 7 Ultimate N SP1

Reported to Google but they didn't consider it stating as Local exploit.