Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 167840 Linux sandbox bypass in file_util_posix.cc CopyDirectory()
Starred by 1 user Project Member Reported by aedla@chromium.org, Dec 29 2012 Back to list
Status: Verified
Owner:
User never visited
Closed: Jan 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux, Android, iOS, Chrome, Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment
Code in base/file_util_posix.cc CopyDirectory():

std::string suffix(&current.value().c_str()[from_path_base.value().size()]);
...
const FilePath target_path = to_path.Append(suffix);
...
CopyFile(current, target_path)

The problem is that trailing separators aren't stripped in from_path_base yet they're stripped in current, leading to out-of-bounds read of suffix. This can be exploited to create a suffix with path traversal: "/../../../../../../home/aedla/file_in_home".

This only affects linux.

REPRODUCTION CASE
Under linux:
 - apply ppapi.patch
 - adjust #define's
 - compile a release build
 - open http://www.ut.ee/~asd/swf.html
 - file_in_home is created in home

 
Comment 1 by aedla@chromium.org, Dec 29 2012
ppapi.patch
2.1 KB View Download
Comment 2 by aedla@chromium.org, Dec 30 2012
Labels: OS-Mac OS-Chrome OS-Android OS-iOS
These should be affected as well?
@aedla: nice!!!

Can you explain your comment in the PoC, "/* hack around '\0' protection in FilePath */" ?
Comment 4 by aedla@chromium.org, Jan 3 2013
@scarybeasts: thanks!

The '\0' thing wasn't really necessary. I forgot that https://codereview.chromium.org/11642041/ hasn't been committed.
Cc: brettw@chromium.org
Project Member Comment 7 by bugdroid1@chromium.org, Jan 14 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=176659

------------------------------------------------------------------------
r176659 | aedla@chromium.org | 2013-01-14T12:29:43.955761Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/base/file_util_posix.cc?r1=176659&r2=176658&pathrev=176659
   M http://src.chromium.org/viewvc/chrome/trunk/src/base/file_util_unittest.cc?r1=176659&r2=176658&pathrev=176659

Fix creating target paths in file_util_posix CopyDirectory.

BUG= 167840 


Review URL: https://chromiumcodereview.appspot.com/11773018
------------------------------------------------------------------------
Project Member Comment 8 by bugdroid1@chromium.org, Jan 14 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=176661

------------------------------------------------------------------------
r176661 | joaodasilva@chromium.org | 2013-01-14T12:56:28.825243Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/base/file_util_posix.cc?r1=176661&r2=176660&pathrev=176661
   M http://src.chromium.org/viewvc/chrome/trunk/src/base/file_util_unittest.cc?r1=176661&r2=176660&pathrev=176661

Revert 176659
> Fix creating target paths in file_util_posix CopyDirectory.
> 
> BUG= 167840 
> 
> 
> Review URL: https://chromiumcodereview.appspot.com/11773018

TBR=aedla@chromium.org
Review URL: https://codereview.chromium.org/11877016
------------------------------------------------------------------------
Project Member Comment 9 by bugdroid1@chromium.org, Jan 30 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=179590

------------------------------------------------------------------------
r179590 | aedla@chromium.org | 2013-01-30T11:38:02.284061Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/base/file_util_win.cc?r1=179590&r2=179589&pathrev=179590
   M http://src.chromium.org/viewvc/chrome/trunk/src/base/file_util_unittest.cc?r1=179590&r2=179589&pathrev=179590
   M http://src.chromium.org/viewvc/chrome/trunk/src/base/file_util_posix.cc?r1=179590&r2=179589&pathrev=179590

Fix creating target paths in file_util_posix CopyDirectory.

BUG= 167840 


Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=176659

Review URL: https://chromiumcodereview.appspot.com/11773018
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Approved
Status: Fixed
Labels: -Mstone-24 -Merge-Approved Mstone-25 Merge-Merged Release-0
Project Member Comment 12 by bugdroid1@chromium.org, Feb 4 2013
Labels: merge-merged-1364
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=180487

------------------------------------------------------------------------
r180487 | cevans@chromium.org | 2013-02-04T20:11:26.380241Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/file_util_win.cc?r1=180487&r2=180486&pathrev=180487
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/file_util_unittest.cc?r1=180487&r2=180486&pathrev=180487
   M http://src.chromium.org/viewvc/chrome/branches/1364/src/base/file_util_posix.cc?r1=180487&r2=180486&pathrev=180487

Merge 179590
> Fix creating target paths in file_util_posix CopyDirectory.
> 
> BUG= 167840 
> 
> 
> Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=176659
> 
> Review URL: https://chromiumcodereview.appspot.com/11773018

TBR=aedla@chromium.org
Review URL: https://codereview.chromium.org/12197017
------------------------------------------------------------------------
Status: Verified
Labels: CVE-2013-0895
Project Member Comment 15 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-Internals -SecImpacts-Stable -SecImpacts-Beta -Mstone-25 -SecSeverity-High Security-Impact-Stable Security-Impact-Beta Cr-Internals M-25 Type-Bug-Security Security-Severity-High
Project Member Comment 16 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 17 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 18 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Labels: -Restrict-View-SecurityNotify
Project Member Comment 20 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 21 by sheriffbot@chromium.org, Oct 1
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 22 by sheriffbot@chromium.org, Oct 2
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment