New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 586628 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Security: Denial of Service attack against Chrome on OS X on LAN

Reported by julian.s...@gmail.com, Feb 12 2016

Issue description

VULNERABILITY DETAILS
Sending malformed UTF-8 in mDNS TXT messages causes a NULL pointer dereference.  If an HP network printer with Google Cloud Print has a name containing emojis, this will happen automatically.  Trivial replay of these packets crashes all OS X Chromes on the network within five seconds.

The relevant lines in the Chromium source:
https://github.com/scheib/chromium/blob/e17f64a0e2379368cf9fd54109bbee246ca73b4f/chrome/browser/local_discovery/service_discovery_client_mac.mm#L113-L115

(NSString initWithBytes returns nil if the bytes aren't valid UTF-8.)

vlog output just before crash:
[1017:3343:0212/151652:VERBOSE1:service_discovery_client_mac.mm(403)] Resolving service :printer:downstairs._privet._tcp.local
[1017:99123:0212/151652:VERBOSE1:service_discovery_client_mac.mm(321)] ServiceResolverImplMac::ServiceResolverImplMac::StartResolvingOnDiscov
eryThread: Success
[1017:3343:0212/151652:VERBOSE1:service_discovery_client_mac.mm(276)] ServiceWatcherImplMac::OnServicesUpdate: :printer:downstairs._privet._tcp.local
[1017:3343:0212/151652:VERBOSE1:service_discovery_device_lister.cc(48)] OnServiceUpdated: service_type: _privet._tcp.local, service_name: :printer:downstairs._privet._tcp.local, update: 1
[1017:3343:0212/151652:VERBOSE1:service_discovery_device_lister.cc(79)] Resolver already exists, service_name: :printer:downstairs._privet._tcp.local
[1017:99123:0212/151652:VERBOSE1:service_discovery_client_mac.mm(333)] ServiceResolverImplMac::NetServiceContainer::StartResolvingOnDiscoveryThread: :printer:downstairs._privet._tcp.local, instance: :printer:downstairs, type: _privet._tcp., domain: local.
[1017:99123:0212/151652:VERBOSE1:service_discovery_client_mac.mm(99)] ParseTxtRecord: 176
[1017:99123:0212/151652:VERBOSE1:service_discovery_client_mac.mm(110)] TxtRecord: txtvers=1
[1017:99123:0212/151652:VERBOSE1:service_discovery_client_mac.mm(110)] TxtRecord: UUID=50484256-4330-3130-3031-5820b14f2d90
[1017:99123:0212/151652:VERBOSE1:service_discovery_client_mac.mm(110)] TxtRecord: ty=�� downstairs

VERSION
Chrome Version: 48.0.2564.109 stable
Operating System: OS X 10.11.3

REPRODUCTION CASE
See attached script.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: browser
Crash State: see second attached text file.

 
starbucks.sh
2.5 KB View Download
Capitan_10_11_3__15D21_.txt
88.3 KB View Download

Comment 1 by rickyz@chromium.org, Feb 13 2016

Labels: Security_Severity-Low Cr-Internals-Printing M-50 Pri-2
Owner: vitalyb...@chromium.org
Status: Assigned
Thanks for the detailed report. Mind taking a look at this, vitalybuka@? I'm not very familiar with objective c, but it looks like we need to check for null before calling UTF8String?
Project Member

Comment 2 by ClusterFuzz, Feb 13 2016

Labels: Security_Impact-Head
Project Member

Comment 3 by ClusterFuzz, Mar 3 2016

Labels: -Security_Impact-Head Security_Impact-Beta
Owner: ----
Status: Available (was: Assigned)
Project Member

Comment 5 by sheriffbot@chromium.org, Apr 14 2016

Labels: -Security_Impact-Beta Security_Impact-Stable
Project Member

Comment 6 by sheriffbot@chromium.org, May 26 2016

Labels: -M-50 M-51
Cc: shrike@chromium.org
Labels: -M-51 M-53 OS-Mac
shrike: Can you help find an owner for this bug? The code in question is currently at https://chromium.googlesource.com/chromium/src/+blame/master/chrome/browser/local_discovery/service_discovery_client_mac.mm#112
So, I don't have a way to easily build chromium right now, but this issue is really annoying, so I'm attaching a patch to maybe get the ball rolling.  HTH.
service_discovery_client_mac.mm.patch
812 bytes Download

Comment 9 by shrike@chromium.org, Jun 15 2016

Owner: rsesek@chromium.org
Status: Assigned (was: Available)
rsesek@ - can you take a look?

Status: Started (was: Assigned)
The patch in #8 is a start, but I also noticed that this file has a bunch of leaks it, and also can mishandle UTF-8 in other strings. CL is now out for review along with regression tests: https://codereview.chromium.org/2132723003/
Cc: vitalyb...@chromium.org
Project Member

Comment 12 by bugdroid1@chromium.org, Jul 12 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4de054ddd802a66e912b5d1e29666d58413148ff

commit 4de054ddd802a66e912b5d1e29666d58413148ff
Author: rsesek <rsesek@chromium.org>
Date: Tue Jul 12 04:12:39 2016

[Mac] Make the local_discovery client more resilient to invalid UTF-8.

Both service names and TXT records could contain invalid code unit sequences
that could later lead to crashes. This change also fixes several NSObject leaks.

BUG= 586628 

Review-Url: https://codereview.chromium.org/2132723003
Cr-Commit-Position: refs/heads/master@{#404781}

[modify] https://crrev.com/4de054ddd802a66e912b5d1e29666d58413148ff/chrome/browser/local_discovery/service_discovery_client_mac.mm
[modify] https://crrev.com/4de054ddd802a66e912b5d1e29666d58413148ff/chrome/browser/local_discovery/service_discovery_client_mac_unittest.mm

Labels: -M-53 M-54
Status: Fixed (was: Started)
Project Member

Comment 14 by sheriffbot@chromium.org, Jul 13 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Cc: durga.behera@chromium.org
 Issue 630838  has been merged into this issue.
Labels: Release-0-M54
Labels: -Type-Bug-Security -Security_Severity-Low -Release-0-M54 Type-Bug
Project Member

Comment 18 by sheriffbot@chromium.org, Oct 19 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment