CVE-2009-2060 in Chrome
Summary
by MITRE
src/net/http/http_transaction_winhttp.cc in Google Chrome before 1.0.154.53 uses the HTTP Host header to determine the context of a document provided in a (1) 4xx or (2) 5xx CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/06/2019
The vulnerability described in CVE-2009-2060 represents a critical security flaw in Google Chrome's handling of HTTP CONNECT requests through the WinHTTP backend on Windows systems. This issue specifically affects Chrome versions prior to 1.0.154.53 and stems from how the browser processes proxy responses when establishing secure connections. The flaw enables attackers to manipulate the Host header in CONNECT responses, which Chrome incorrectly uses to determine the document context for 4xx and 5xx error responses from proxy servers. This misconfiguration creates a path for man-in-the-middle attacks where malicious actors can inject arbitrary web script into the browser's context, effectively bypassing SSL certificate validation mechanisms.
The technical implementation of this vulnerability involves Chrome's reliance on the HTTP Host header within proxy CONNECT responses to establish document context for error handling. When a proxy server returns a 4xx or 5xx CONNECT response, Chrome incorrectly trusts the Host header value provided in these error responses rather than validating it against the original connection context. This behavior violates fundamental security principles of certificate validation and establishes a trust relationship that should not exist in the context of error responses. The flaw essentially allows an attacker positioned between the client and proxy server to modify the CONNECT response and inject malicious content that gets executed in the browser's security context.
The operational impact of this vulnerability extends beyond simple script injection to represent a complete breakdown in SSL security assurances. Attackers can exploit this weakness to perform SSL tampering attacks by crafting malicious proxy responses that appear legitimate to Chrome's WinHTTP implementation. This enables attackers to bypass certificate warnings, inject malicious content into secure connections, and potentially escalate privileges within the browser environment. The vulnerability particularly affects users who rely on proxy servers for internet access, as the attack vector becomes more accessible through the proxy infrastructure. This issue demonstrates a critical failure in Chrome's certificate validation logic when processing proxy error responses, creating a persistent security risk for all affected users.
This vulnerability maps directly to CWE-295 which describes "Improper Certificate Validation" and aligns with ATT&CK technique T1041 which covers "Exfiltration Over C2 Channel" and T1557 which addresses "Adversary-in-the-Middle". The flaw represents a classic case of trust abuse in network security where the application incorrectly trusts information from a potentially compromised proxy server. The attack scenario involves an attacker intercepting traffic between Chrome and a proxy server, modifying the CONNECT response to include malicious Host header values, and then executing arbitrary web scripts within the browser's context. Mitigation strategies should include immediate patching of Chrome to version 1.0.154.53 or later, implementation of network monitoring to detect unusual proxy responses, and deployment of additional security layers such as proxy server hardening and certificate pinning mechanisms. Organizations should also consider implementing network segmentation and traffic inspection to prevent such attacks from succeeding in enterprise environments.