Obsolete
Status Update
No update yet.
Comments
zy...@sina.com
Excuse Me.I think that i have made some spelling mistakes in this report.
If you can't understand some part of the report you can connect me by E-mail:1009465756@qq.com
If you can't understand some part of the report you can connect me by E-mail:1009465756@qq.com
js...@chromium.org
It looks like Omaha regressed path quoting for process launching. Seems to be a recurrence of https://crbug.com/chromium/160038 .
js...@chromium.org
[Empty comment from Monorail migration]
js...@chromium.org
[Empty comment from Monorail migration]
so...@chromium.org
[Empty comment from Monorail migration]
so...@chromium.org
Justin, the original bug was fixed in Omaha builds 1.3.21.127 and up.
The report from the user shows the path of the process as being "C:\Program Files\Google\Updata\1.3.21.115\GoogleCrashHandler.exe", which makes me believe it is Omaha version 1.3.21.115 that exhibits the bug. This version is prior the version that has the fix. The version shows as 1.3.21.115 in the 2.png.
I would triage the bug as obsolete at this time. The only thing I'd be curious to know is how did the user end up with a version of Omaha which is about 1 year old.
Would you like to contact the user or would you like me to do it?
Please reopen the bug if you disagree.
The report from the user shows the path of the process as being "C:\Program Files\Google\Updata\1.3.21.115\GoogleCrashHandler.exe", which makes me believe it is Omaha version 1.3.21.115 that exhibits the bug. This version is prior the version that has the fix. The version shows as 1.3.21.115 in the 2.png.
I would triage the bug as obsolete at this time. The only thing I'd be curious to know is how did the user end up with a version of Omaha which is about 1 year old.
Would you like to contact the user or would you like me to do it?
Please reopen the bug if you disagree.
zy...@sina.com
Hi,i'm awaring of that the https://crbug.com/chromium/160038 has already been closed at Dec 2012,but why the Privilege Escalation Vulnerability haven't already been fixed in the latest version(32.0.1700.102/updated at 2014.1.28)until now?
js...@chromium.org
Ah, I hadn't noticed how old the version of Omaha was. So, any idea why it wouldn't be updating?
zyy186076@sina.com - The updater (which contains the crash handler) is independent of the installed version of Chrome. Are you aware of any reason why your updater wouldn't be updating itself? Is this a new system? Is this a VM or a recently purchased system, and the updater simply hasn't had a chance to update yet?
zyy186076@sina.com - The updater (which contains the crash handler) is independent of the installed version of Chrome. Are you aware of any reason why your updater wouldn't be updating itself? Is this a new system? Is this a VM or a recently purchased system, and the updater simply hasn't had a chance to update yet?
js...@chromium.org
[Empty comment from Monorail migration]
cl...@chromium.org
Bulk update: removing view restriction from closed bugs.
ga...@chromium.org
[Empty comment from Monorail migration]
cl...@chromium.org
[Empty comment from Monorail migration]
sh...@chromium.org
This bug has been closed for more than 14 weeks. Removing security view restrictions.
For more details visithttps://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
For more details visit
sh...@chromium.org
This bug has been closed for more than 14 weeks. Removing security view restrictions.
For more details visithttps://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
For more details visit
mb...@chromium.org
[Empty comment from Monorail migration]
is...@google.com
This issue was migrated from crbug.com/chromium/338946?no_tracker_redirect=1
[Monorail mergedwith:crbug.com/chromium/339526 ]
[Monorail components added to Component Tags custom field.]
[Monorail mergedwith:
[Monorail components added to Component Tags custom field.]
Description
Steps to reproduce the problem:
1. Make sure there's a Program.exe at C:\(if the chrome is installed at C:\Program Files\Google)
2. Wait(If) chrome shell GoogleCrashHandler.exe.The"Program.exe"will run and get System Privileges instead of"GoogleCrashHandler.exe"
What is the expected behavior?
"Program.exe"get a System Privilege
What went wrong?
Chrome has such a problem which will cause a Path Privilege Escalation Vulnerability.
After installing the Google Chrome(zh-CN version),the chrome will shell"GoogleCrashHandler.exe"
I can see the command line is "C:\Program Files\Google\Updata\1.3.21.115\GoogleCrashHandler.exe"in Process Explorer
Then Chrome will give "GoogleCrashHandler.exe"a System Privilege.
Maybe Chrome uses the CreateProcess function at here,but it isn't used in a correct way.So if there is a Program.exe at C:\,when Chrome run
"GoogleCrashHandler.exe".The system tries to interpret the possibilities in the following order:
c:\program.exe files\sub dir\program name
c:\program files\sub.exe dir\program name
c:\program files\sub dir\program.exe name
c:\program files\sub dir\program name.exe
(Details at:
And Chrome doesn't check if it is"GoogleCrashHandler.exe"and give"Program.exe"a System Privilege immediately.So it causes a Path Privilege Escalation Vulnerability.Then you will find the Program.exe get a System Privilege by Windows Taskmgr.
Did this work before? Yes Chrome shell GoogleCrashHandler.exe
Chrome version: 32.0.1700.102 Channel: stable
OS Version: 5.1 (Windows XP)
Flash Version:
A virus may get System Privileges by this vulnerability.I hold the point of view that i must be fixed.