Issue metadata
Sign in to add a comment
|
Security: ChromeOS Exploit persistence via symlink |
||||||||||||||||||||||
Issue descriptionBreakout bug for a portion of the exploit chain described in issue 648971 . ------ This is similar to what geohot did in https://crbug.com/351788 Snippet from /etc/init/ui-collect-machine-info.conf: env UI_MACHINE_INFO_FILE=/var/run/session_manager/machine-info dump_vpd_log --full --stdout > "${UI_MACHINE_INFO_FILE}" The exploit symlinks machine-info to /run/modprobe.d which is a configuration file for modprobe. dump_vpd_log writes /mnt/stateful_partition/unencrypted/cache/vpd/full-v2.txt into /run/modprobe.d. The exploit places the "install modulename command..." clause into full-v2.txt to launch a command at boot. There are difficulties though and the exploit uses symlinks extensively to overcome them. Here is a list: 1) /var/run/session_manager/machine-info -> /run/modprobe.d Written to by /etc/init/ui-collect-machine-info.conf 2) /var/run -> /var/real_run /var/run normally points to /run tmpfs, so redirect it to a stateful partition 3) /var/log -> /run login_manager creates the /var/log/chrome directory. Use it to create the /run/chrome directory. 4) /mnt/stateful_partition/unencrypted/preserve/attestation.epb -> /dev/net/ /etc/init/cryptohomed.conf moves /mnt/stateful_partition/home/.shadow/attestation.epb to /mnt/stateful_partition/unencrypted/preserve/attestation.epb. Use it to move a device file into /dev/net. 5) /var/lib/metrics/uma-events -> /dev/net/attestation.epb The uma-events file is often accessed by metrics. Link it to attestation.epb device file. Accessing the device triggers modprobe.
,
Sep 21 2016
,
Sep 22 2016
,
Sep 22 2016
,
Sep 22 2016
,
Sep 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/8d2a9d39b4e4fa51897fd67a02748273c15167ad commit 8d2a9d39b4e4fa51897fd67a02748273c15167ad Author: Ricky Zhou <rickyz@chromium.org> Date: Thu Sep 22 01:03:36 2016 init: Recreate /var/run and /var/lock symlinks on each boot. Also adds some extra paranoid checks that certain stateful partition paths are directories before changing their permissions/owners/groups. BUG= chromium:649039 TEST=Device boots. Change-Id: I90ebdffe3b0c377ea8c9caaada4228f20d534833 Reviewed-on: https://chromium-review.googlesource.com/388067 Commit-Ready: Ricky Zhou <rickyz@chromium.org> Tested-by: Ricky Zhou <rickyz@chromium.org> Reviewed-by: Ricky Zhou <rickyz@chromium.org> [modify] https://crrev.com/8d2a9d39b4e4fa51897fd67a02748273c15167ad/init/chromeos_startup
,
Sep 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/be7d1436d816775151477fdc033894efd82b4a41 commit be7d1436d816775151477fdc033894efd82b4a41 Author: Ricky Zhou <rickyz@chromium.org> Date: Thu Sep 22 02:04:06 2016 cryptohome: Test for symlinks before copying attestation file. BUG= chromium:649039 TEST=Rebooted device with normal file vs. symlink. Change-Id: I3a86d5bec4495f8a0dd9e038ab3278bd394517d8 Reviewed-on: https://chromium-review.googlesource.com/388186 Commit-Ready: Ricky Zhou <rickyz@chromium.org> Tested-by: Ricky Zhou <rickyz@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/be7d1436d816775151477fdc033894efd82b4a41/cryptohome/init/cryptohomed.conf
,
Sep 26 2016
,
Sep 26 2016
This also includes https://chromium-review.googlesource.com/#/c/388145/, which for some reason did not post a comment to this bug.
,
Sep 26 2016
Approving merge to M53 cros.
,
Sep 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/49dff97ca037a4d65c4fc39dade0396e107d7494 commit 49dff97ca037a4d65c4fc39dade0396e107d7494 Author: Ricky Zhou <rickyz@chromium.org> Date: Thu Sep 22 00:15:01 2016 login: Prefer /run over /var/run. /var lives on the stateful partition, while /run is a tmpfs. Normally, /var/run is a symlink to /run, but if a device is compromised, the contents of /var cannot be trusted. BUG= chromium:649039 TEST=Can boot/login with changes. Change-Id: I06aa3491ad4897eecafe835611a0d837b22faef4 Reviewed-on: https://chromium-review.googlesource.com/388145 Commit-Ready: Ricky Zhou <rickyz@chromium.org> Tested-by: Ricky Zhou <rickyz@chromium.org> Reviewed-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Dylan Reid <dgreid@chromium.org> (cherry picked from commit b2a678ec655825bcba58d7f8d51ad40bad33ed6e) Reviewed-on: https://chromium-review.googlesource.com/389612 Reviewed-by: Ricky Zhou <rickyz@chromium.org> Commit-Queue: Ricky Zhou <rickyz@chromium.org> [modify] https://crrev.com/49dff97ca037a4d65c4fc39dade0396e107d7494/login_manager/init/ui-collect-machine-info.conf [modify] https://crrev.com/49dff97ca037a4d65c4fc39dade0396e107d7494/login_manager/init/logout.conf [modify] https://crrev.com/49dff97ca037a4d65c4fc39dade0396e107d7494/login_manager/init/ui-init-late.conf [modify] https://crrev.com/49dff97ca037a4d65c4fc39dade0396e107d7494/login_manager/init/login.conf
,
Sep 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/4b3ab91b776bb34d3103ef67870980cffa6fcc40 commit 4b3ab91b776bb34d3103ef67870980cffa6fcc40 Author: Ricky Zhou <rickyz@chromium.org> Date: Thu Sep 22 00:15:01 2016 login: Prefer /run over /var/run. /var lives on the stateful partition, while /run is a tmpfs. Normally, /var/run is a symlink to /run, but if a device is compromised, the contents of /var cannot be trusted. BUG= chromium:649039 TEST=Can boot/login with changes. Change-Id: I06aa3491ad4897eecafe835611a0d837b22faef4 Reviewed-on: https://chromium-review.googlesource.com/388145 Commit-Ready: Ricky Zhou <rickyz@chromium.org> Tested-by: Ricky Zhou <rickyz@chromium.org> Reviewed-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Dylan Reid <dgreid@chromium.org> (cherry picked from commit b2a678ec655825bcba58d7f8d51ad40bad33ed6e) Reviewed-on: https://chromium-review.googlesource.com/389613 Reviewed-by: Ricky Zhou <rickyz@chromium.org> Commit-Queue: Ricky Zhou <rickyz@chromium.org> [modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/ui-collect-machine-info.conf [modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/logout.conf [modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/ui-init-late.conf [modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/login.conf
,
Sep 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/4b3ab91b776bb34d3103ef67870980cffa6fcc40 commit 4b3ab91b776bb34d3103ef67870980cffa6fcc40 Author: Ricky Zhou <rickyz@chromium.org> Date: Thu Sep 22 00:15:01 2016 login: Prefer /run over /var/run. /var lives on the stateful partition, while /run is a tmpfs. Normally, /var/run is a symlink to /run, but if a device is compromised, the contents of /var cannot be trusted. BUG= chromium:649039 TEST=Can boot/login with changes. Change-Id: I06aa3491ad4897eecafe835611a0d837b22faef4 Reviewed-on: https://chromium-review.googlesource.com/388145 Commit-Ready: Ricky Zhou <rickyz@chromium.org> Tested-by: Ricky Zhou <rickyz@chromium.org> Reviewed-by: Mattias Nissler <mnissler@chromium.org> Reviewed-by: Dylan Reid <dgreid@chromium.org> (cherry picked from commit b2a678ec655825bcba58d7f8d51ad40bad33ed6e) Reviewed-on: https://chromium-review.googlesource.com/389613 Reviewed-by: Ricky Zhou <rickyz@chromium.org> Commit-Queue: Ricky Zhou <rickyz@chromium.org> [modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/ui-collect-machine-info.conf [modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/logout.conf [modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/ui-init-late.conf [modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/login.conf
,
Sep 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/04b268c92806faa4b066ccfbf4806eac3358d705 commit 04b268c92806faa4b066ccfbf4806eac3358d705 Author: Ricky Zhou <rickyz@chromium.org> Date: Thu Sep 22 01:03:36 2016 init: Recreate /var/run and /var/lock symlinks on each boot. Also adds some extra paranoid checks that certain stateful partition paths are directories before changing their permissions/owners/groups. BUG= chromium:649039 TEST=Device boots. Change-Id: I90ebdffe3b0c377ea8c9caaada4228f20d534833 Reviewed-on: https://chromium-review.googlesource.com/388067 Commit-Ready: Ricky Zhou <rickyz@chromium.org> Tested-by: Ricky Zhou <rickyz@chromium.org> Reviewed-by: Ricky Zhou <rickyz@chromium.org> (cherry picked from commit 8d2a9d39b4e4fa51897fd67a02748273c15167ad) Reviewed-on: https://chromium-review.googlesource.com/389611 Commit-Queue: Ricky Zhou <rickyz@chromium.org> [modify] https://crrev.com/04b268c92806faa4b066ccfbf4806eac3358d705/init/chromeos_startup
,
Sep 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/0a5a3db7c5d2d85d070ecae86739dc42db478ce7 commit 0a5a3db7c5d2d85d070ecae86739dc42db478ce7 Author: Ricky Zhou <rickyz@chromium.org> Date: Thu Sep 22 01:03:36 2016 init: Recreate /var/run and /var/lock symlinks on each boot. Also adds some extra paranoid checks that certain stateful partition paths are directories before changing their permissions/owners/groups. BUG= chromium:649039 TEST=Device boots. Change-Id: I90ebdffe3b0c377ea8c9caaada4228f20d534833 Reviewed-on: https://chromium-review.googlesource.com/388067 Commit-Ready: Ricky Zhou <rickyz@chromium.org> Tested-by: Ricky Zhou <rickyz@chromium.org> Reviewed-by: Ricky Zhou <rickyz@chromium.org> (cherry picked from commit 8d2a9d39b4e4fa51897fd67a02748273c15167ad) Reviewed-on: https://chromium-review.googlesource.com/389614 Commit-Queue: Ricky Zhou <rickyz@chromium.org> [modify] https://crrev.com/0a5a3db7c5d2d85d070ecae86739dc42db478ce7/init/chromeos_startup
,
Sep 26 2016
Note: It looks like there's a systemd migration effort happening for some things (https://chromium-review.googlesource.com/378875). We'll want to make sure those have the appropriate files.
,
Sep 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/4f9ee960841d2b5647524987b68e71f1b81e25a4 commit 4f9ee960841d2b5647524987b68e71f1b81e25a4 Author: Ricky Zhou <rickyz@chromium.org> Date: Thu Sep 22 02:04:06 2016 cryptohome: Test for symlinks before copying attestation file. BUG= chromium:649039 TEST=Rebooted device with normal file vs. symlink. Change-Id: I3a86d5bec4495f8a0dd9e038ab3278bd394517d8 Reviewed-on: https://chromium-review.googlesource.com/388186 Commit-Ready: Ricky Zhou <rickyz@chromium.org> Tested-by: Ricky Zhou <rickyz@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/389651 Reviewed-by: Ricky Zhou <rickyz@chromium.org> Commit-Queue: Ricky Zhou <rickyz@chromium.org> [modify] https://crrev.com/4f9ee960841d2b5647524987b68e71f1b81e25a4/cryptohome/init/cryptohomed.conf
,
Sep 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/38429c4b904145b198abd7b7d1ca6a0fd2c89ca4 commit 38429c4b904145b198abd7b7d1ca6a0fd2c89ca4 Author: Ricky Zhou <rickyz@chromium.org> Date: Thu Sep 22 02:04:06 2016 cryptohome: Test for symlinks before copying attestation file. BUG= chromium:649039 TEST=Rebooted device with normal file vs. symlink. Change-Id: I3a86d5bec4495f8a0dd9e038ab3278bd394517d8 Reviewed-on: https://chromium-review.googlesource.com/388186 Commit-Ready: Ricky Zhou <rickyz@chromium.org> Tested-by: Ricky Zhou <rickyz@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/389632 Reviewed-by: Ricky Zhou <rickyz@chromium.org> Commit-Queue: Ricky Zhou <rickyz@chromium.org> [modify] https://crrev.com/38429c4b904145b198abd7b7d1ca6a0fd2c89ca4/cryptohome/init/cryptohomed.conf
,
Sep 27 2016
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 27 2016
Your change meets the bar and is auto-approved for M54 (branch: 2840)
,
Sep 28 2016
,
Sep 30 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 3 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 3 2016
,
Oct 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/611eef6d3e52a0600ccb58ada420fe5f3bcd6b15 commit 611eef6d3e52a0600ccb58ada420fe5f3bcd6b15 Author: Mike Frysinger <vapier@chromium.org> Date: Mon Oct 10 21:44:35 2016 init: chromeos_startup: force /var/spool sanity too A few services rely on /var/spool existing and being sane (like crash reporting). Add it to the initial set of /var checks. BUG= chromium:649039 TEST=device boots Change-Id: I7b14994f29dbedbe1613fb0c6ef0c00a5ee1634e Reviewed-on: https://chromium-review.googlesource.com/395689 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Ricky Zhou <rickyz@chromium.org> [modify] https://crrev.com/611eef6d3e52a0600ccb58ada420fe5f3bcd6b15/init/chromeos_startup
,
Jan 3 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 21 2017
,
Mar 4 2017
,
Apr 17 2017
,
May 30 2017
,
Aug 1 2017
,
Oct 14 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mbarbe...@chromium.org
, Sep 21 2016