New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 9 users
Status: Archived
Owner:
Closed: Dec 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security

Blocked on:
issue 649039
issue 649040
issue 649118
issue 649359



Sign in to add a comment
Chrome OS exploit: c-ares OOB write + dump_vpd_log > symlink
Reported by gzo...@gmail.com, Sep 21 2016 Back to list
Here is a Chrome OS exploit chain. See writeup.pdf.

1. JS to root
JS goes to root directly by exploiting shill, the Chrome OS network manager. The vulnerability is a one byte overflow in c-ares, the DNS client library used by shill. The bug can be seen in https://github.com/c-ares/c-ares/blob/cares-1_7_5/ares_mkquery.c#L101 :

  len = 1;
  for (p = name; *p; p++) {                     // (1)
    if (*p == '\\' && *(p + 1) != 0)
      p++;
    len++;
  }

  if (*name && *(p - 1) != '.')                 // (2)
    len++;

  *buflen = len + HFIXEDSZ + QFIXEDSZ;
  *buf = malloc(*buflen);

  q = *buf;                                     // (3)
  q += HFIXEDSZ;
  while (*name) {
    len = 0;
    for (p = name; *p && *p != '.'; p++) {
      if (*p == '\\' && *(p + 1) != 0)
        p++;
      len++;
    }
    *q++ = (unsigned char)len;                  // (4)
    for (p = name; *p && *p != '.'; p++) {
      if (*p == '\\' && *(p + 1) != 0)
        p++;
      *q++ = *p;
    }
    if (!*p)
      break;
    name = p + 1;
  }
  *q++ = 0;

  // writes QFIXEDSZ bytes at q
  DNS_QUESTION_SET_TYPE(q, type);
  DNS_QUESTION_SET_CLASS(q, dnsclass);

Briefly, at (3) it parses the dot separated parts of a DNS name and writes them into *buf. A one byte length is also written for each part at (4) and the terminating dot is omitted. The last part may or may not end with a dot. The buffer size is calculated in (1) as basically just the string length. For n length bytes there is either n or n - 1 dots depending on whether the last part ends with a dot. The check at (2) is meant to account for the n - 1 dots case, it adds +1 to buffer size for the length of the last part.

Now, dots can be escaped though and "\." is not considered to be a part terminator. If the last part ends with a "\." then it doesn't have a dot terminator so (1) doesn't account for its length byte. (2) thinks that the last part does end with a dot and doesn't add +1 for the length byte either. The buffer remains too short and overflows by one byte.

2. Persistence
This is similar to what geohot did in  https://crbug.com/351788 

Snippet from /etc/init/ui-collect-machine-info.conf:
  env UI_MACHINE_INFO_FILE=/var/run/session_manager/machine-info
  dump_vpd_log --full --stdout > "${UI_MACHINE_INFO_FILE}"

The exploit symlinks machine-info to /run/modprobe.d which is a configuration file for modprobe. dump_vpd_log writes /mnt/stateful_partition/unencrypted/cache/vpd/full-v2.txt into /run/modprobe.d. The exploit places the "install modulename command..." clause into full-v2.txt to launch a command at boot.

There are difficulties though and the exploit uses symlinks extensively to overcome them. Here is a list:

  1) /var/run/session_manager/machine-info -> /run/modprobe.d
    Written to by /etc/init/ui-collect-machine-info.conf

  2) /var/run -> /var/real_run
    /var/run normally points to /run tmpfs, so redirect it to a stateful partition

  3) /var/log -> /run
    login_manager creates the /var/log/chrome directory. Use it to create the /run/chrome directory.

  4) /mnt/stateful_partition/unencrypted/preserve/attestation.epb -> /dev/net/
    /etc/init/cryptohomed.conf moves /mnt/stateful_partition/home/.shadow/attestation.epb to /mnt/stateful_partition/unencrypted/preserve/attestation.epb. Use it to move a device file into /dev/net.

  5) /var/lib/metrics/uma-events -> /dev/net/attestation.epb
    The uma-events file is often accessed by metrics. Link it to attestation.epb device file. Accessing the device triggers modprobe.

See writeup.pdf for details.

Running the exploit:
1) Optionally place any ssh keys to be authorized into drop/authorized_keys.
2) Run ./server.py on a linux machine from the crosxpl directory.
3) Double check that chromebook is up to date, platform version 8530.81.0, wolf.
4) Navigate to server-ip:8000 in guest mode. Calc should pop.
5) Reboot and enter guest mode. Calc should pop.

I've tested it on a Dell Chromebook 11, board name wolf. Some offsets may need to be adjusted for other models. It's a memory corruption exploit and the stability is about 90%. Sometimes shill hangs to the point of not accepting proxy connections. With bad luck you may have to reboot to retry.

Chrome: 53.0.2785.103 stable
Platform: Chrome OS, wolf, 8530.81.0
 
crosxpl.tar.gz
777 KB Download
writeup.pdf
273 KB Download
Comment 1 by jsc...@chromium.org, Sep 21 2016
Cc: dgreid@chromium.org mnissler@chromium.org
Labels: OS-Chrome Pri-0
Owner: rickyz@chromium.org
Status: Untriaged
Taking on an owner to verify and a few appropriate CCs.
Comment 2 by jsc...@chromium.org, Sep 21 2016
Status: Unconfirmed
Oops. Shouldn't mark untriaged until it's confirmed.
Comment 3 Deleted
Blockedon: 649039
Blockedon: 649040
Comment 6 by gzo...@gmail.com, Sep 21 2016
Can you please cc me to sub-bugs
Done.
Comment 8 Deleted
Comment 9 by rickyz@chromium.org, Sep 21 2016
Blockedon: 649118
Comment 10 Deleted
Comment 11 Deleted
Comment 12 Deleted
Comment 13 Deleted
Btw. I've successfully repro'd the exploit in a VM, so the exploit is officially confirmed.

Happy to provide instructions on VM setup if needed.
Comment 15 Deleted
Labels: Security_Severity-Critical Security_Impact-Stable
Blockedon: 649359
Comment 18 Deleted
Blockedon: 649417
Project Member Comment 20 by sheriffbot@chromium.org, Sep 23 2016
Labels: M-53
Labels: reward-topanel
Comment 22 by wfh@chromium.org, Oct 3 2016
Cc: billyleonard@google.com
Labels: -reward-topanel reward-100000 reward-unpaid
Labels: reward-inprocess
Comment 25 by gzo...@gmail.com, Oct 4 2016
Thank you.
Project Member Comment 26 by sheriffbot@chromium.org, Oct 6 2016
rickyz: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -reward-unpaid
Project Member Comment 28 by sheriffbot@chromium.org, Oct 13 2016
Labels: -M-53 M-54
Comment 29 by jln@chromium.org, Oct 18 2016
Cc: aarongreen@google.com jmatt@google.com
Project Member Comment 30 by sheriffbot@chromium.org, Oct 20 2016
rickyz: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
FWIW, we're still waiting on mitigation work to complete: Shill (which is underway) and TURN changes ( issue 649118 , which has just received a nag message as well).
Project Member Comment 32 by sheriffbot@chromium.org, Oct 22 2016
Labels: Deadline-Exceeded
We commit ourselves to a 30 day deadline for fixing for critical severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue?

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Hey mnissler! Could please you update the status here? One of the blocking issues is unassigned and the other hasn't had activity for over a month.

Is this still P0/Severity-critical? Or has a mitigation been put in place, in which case maybe we should open a different bug? 

Thanks!
Labels: -Pri-0 -Security_Impact-Stable Security_Impact-None Pri-2
Owner: mnissler@chromium.org
Current status: Mitigation is in place, my plan was to wait for the shill work to complete before we mark this fixed and open the bug. Relabeling accordingly. I'll ping the shill folks again to hopefully get some traction.
Cc: ejcaruso@chromium.org
Blockedon: -649417
Status: Fixed
Project Member Comment 38 by sheriffbot@chromium.org, Dec 13 2016
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Comment 39 by wfh@chromium.org, Dec 14 2016
Labels: -Restrict-View-SecurityNotify
Comment 40 by wfh@chromium.org, Dec 14 2016
Labels: allpublic
Comment 41 by dchan@google.com, Mar 4 2017
Labels: VerifyIn-58
Comment 42 by dchan@google.com, Apr 17 2017
Labels: VerifyIn-59
Labels: VerifyIn-60
Labels: VerifyIn-61
Cc: mpdenton@google.com
Status: Archived
Sign in to add a comment