CVE-2017-15394 PoC — Google Chrome for Mac、Windows和Linux Extensions 安全漏洞

Source

https://github.com/sudosammy/CVE-2017-15394

Associated Vulnerability

Title:Google Chrome for Mac、Windows和Linux Extensions 安全漏洞 (CVE-2017-15394)
Description:Google Chrome for Mac、Windows和Linux是美国谷歌（Google）公司开发的一款基于Mac、Windows和Linux平台的Web浏览器。Extensions是其中的一个浏览器扩展程序。基于Windows、Mac和Linux平台的Google Chrome 62.0.3202.62之前版本中的Extensions存在安全漏洞，该漏洞源于程序没有充分的强制执行策略。远程攻击者可借助特制Chrome Extension中的IDN同形异义词利用该漏洞在权限对话中伪造域名。

Readme

# CVE-2017-15394

>A URL spoofing flaw has been found in the extensions UI of the Chromium browser < 62.0.3202.62.

An IDN homograph attack demo in Chromium through extensions.

1) Load unpacked extension into Chrome
2) View extension details and observe lack of punycode

## Impact

An attacker would leverage this weakness to aid in deception attacks by coercing a victim into granting the extension permissions to an unexpected domain.

## Patch

Released October 17, 2017: <https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html>

File Snapshot


 [4.0K]  /data/pocs/73bbca1989f0e8501e231dd64b72a2261470215b
├── [ 316]  manifest.json
└── [ 563]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!