Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 3 users
Status: Fixed
Owner:
Closed: Sep 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security

Blocking:
issue 648971



Sign in to add a comment
Security: ChromeOS Exploit persistence via symlink
Project Member Reported by elawre...@chromium.org, Sep 21 2016 Back to list
Breakout bug for a portion of the exploit chain described in  issue 648971 .
------

This is similar to what geohot did in  https://crbug.com/351788 
Snippet from /etc/init/ui-collect-machine-info.conf:
  env UI_MACHINE_INFO_FILE=/var/run/session_manager/machine-info
  dump_vpd_log --full --stdout > "${UI_MACHINE_INFO_FILE}"

The exploit symlinks machine-info to /run/modprobe.d which is a configuration file for modprobe. dump_vpd_log writes /mnt/stateful_partition/unencrypted/cache/vpd/full-v2.txt into /run/modprobe.d. The exploit places the "install modulename command..." clause into full-v2.txt to launch a command at boot.

There are difficulties though and the exploit uses symlinks extensively to overcome them. Here is a list:

  1) /var/run/session_manager/machine-info -> /run/modprobe.d
    Written to by /etc/init/ui-collect-machine-info.conf

  2) /var/run -> /var/real_run
    /var/run normally points to /run tmpfs, so redirect it to a stateful partition

  3) /var/log -> /run
    login_manager creates the /var/log/chrome directory. Use it to create the /run/chrome directory.

  4) /mnt/stateful_partition/unencrypted/preserve/attestation.epb -> /dev/net/
    /etc/init/cryptohomed.conf moves /mnt/stateful_partition/home/.shadow/attestation.epb to /mnt/stateful_partition/unencrypted/preserve/attestation.epb. Use it to move a device file into /dev/net.

  5) /var/lib/metrics/uma-events -> /dev/net/attestation.epb
    The uma-events file is often accessed by metrics. Link it to attestation.epb device file. Accessing the device triggers modprobe.

 
Cc: gzo...@gmail.com
Cc: keescook@chromium.org
Project Member Comment 3 by sheriffbot@chromium.org, Sep 22 2016
Labels: M-53
Project Member Comment 4 by sheriffbot@chromium.org, Sep 22 2016
Status: Assigned
Cc: derat@chromium.org
Project Member Comment 6 by bugdroid1@chromium.org, Sep 25 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/8d2a9d39b4e4fa51897fd67a02748273c15167ad

commit 8d2a9d39b4e4fa51897fd67a02748273c15167ad
Author: Ricky Zhou <rickyz@chromium.org>
Date: Thu Sep 22 01:03:36 2016

init: Recreate /var/run and /var/lock symlinks on each boot.

Also adds some extra paranoid checks that certain stateful partition
paths are directories before changing their permissions/owners/groups.

BUG= chromium:649039 
TEST=Device boots.

Change-Id: I90ebdffe3b0c377ea8c9caaada4228f20d534833
Reviewed-on: https://chromium-review.googlesource.com/388067
Commit-Ready: Ricky Zhou <rickyz@chromium.org>
Tested-by: Ricky Zhou <rickyz@chromium.org>
Reviewed-by: Ricky Zhou <rickyz@chromium.org>

[modify] https://crrev.com/8d2a9d39b4e4fa51897fd67a02748273c15167ad/init/chromeos_startup

Project Member Comment 7 by bugdroid1@chromium.org, Sep 25 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/be7d1436d816775151477fdc033894efd82b4a41

commit be7d1436d816775151477fdc033894efd82b4a41
Author: Ricky Zhou <rickyz@chromium.org>
Date: Thu Sep 22 02:04:06 2016

cryptohome: Test for symlinks before copying attestation file.

BUG= chromium:649039 
TEST=Rebooted device with normal file vs. symlink.

Change-Id: I3a86d5bec4495f8a0dd9e038ab3278bd394517d8
Reviewed-on: https://chromium-review.googlesource.com/388186
Commit-Ready: Ricky Zhou <rickyz@chromium.org>
Tested-by: Ricky Zhou <rickyz@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/be7d1436d816775151477fdc033894efd82b4a41/cryptohome/init/cryptohomed.conf

Comment 8 by rickyz@chromium.org, Sep 26 2016
Labels: Merge-Request-53 Merge-Request-54
Comment 9 by rickyz@chromium.org, Sep 26 2016
This also includes https://chromium-review.googlesource.com/#/c/388145/, which for some reason did not post a comment to this bug.
Labels: -Merge-Request-53 Merge-Approved-53
Approving merge to M53 cros.
Project Member Comment 11 by bugdroid1@chromium.org, Sep 26 2016
Labels: merge-merged-release-R53-8530.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/49dff97ca037a4d65c4fc39dade0396e107d7494

commit 49dff97ca037a4d65c4fc39dade0396e107d7494
Author: Ricky Zhou <rickyz@chromium.org>
Date: Thu Sep 22 00:15:01 2016

login: Prefer /run over /var/run.

/var lives on the stateful partition, while /run is a tmpfs. Normally,
/var/run is a symlink to /run, but if a device is compromised, the
contents of /var cannot be trusted.

BUG= chromium:649039 
TEST=Can boot/login with changes.

Change-Id: I06aa3491ad4897eecafe835611a0d837b22faef4
Reviewed-on: https://chromium-review.googlesource.com/388145
Commit-Ready: Ricky Zhou <rickyz@chromium.org>
Tested-by: Ricky Zhou <rickyz@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
(cherry picked from commit b2a678ec655825bcba58d7f8d51ad40bad33ed6e)
Reviewed-on: https://chromium-review.googlesource.com/389612
Reviewed-by: Ricky Zhou <rickyz@chromium.org>
Commit-Queue: Ricky Zhou <rickyz@chromium.org>

[modify] https://crrev.com/49dff97ca037a4d65c4fc39dade0396e107d7494/login_manager/init/ui-collect-machine-info.conf
[modify] https://crrev.com/49dff97ca037a4d65c4fc39dade0396e107d7494/login_manager/init/logout.conf
[modify] https://crrev.com/49dff97ca037a4d65c4fc39dade0396e107d7494/login_manager/init/ui-init-late.conf
[modify] https://crrev.com/49dff97ca037a4d65c4fc39dade0396e107d7494/login_manager/init/login.conf

Project Member Comment 12 by bugdroid1@chromium.org, Sep 26 2016
Labels: merge-merged-release-R54-8743.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/4b3ab91b776bb34d3103ef67870980cffa6fcc40

commit 4b3ab91b776bb34d3103ef67870980cffa6fcc40
Author: Ricky Zhou <rickyz@chromium.org>
Date: Thu Sep 22 00:15:01 2016

login: Prefer /run over /var/run.

/var lives on the stateful partition, while /run is a tmpfs. Normally,
/var/run is a symlink to /run, but if a device is compromised, the
contents of /var cannot be trusted.

BUG= chromium:649039 
TEST=Can boot/login with changes.

Change-Id: I06aa3491ad4897eecafe835611a0d837b22faef4
Reviewed-on: https://chromium-review.googlesource.com/388145
Commit-Ready: Ricky Zhou <rickyz@chromium.org>
Tested-by: Ricky Zhou <rickyz@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
(cherry picked from commit b2a678ec655825bcba58d7f8d51ad40bad33ed6e)
Reviewed-on: https://chromium-review.googlesource.com/389613
Reviewed-by: Ricky Zhou <rickyz@chromium.org>
Commit-Queue: Ricky Zhou <rickyz@chromium.org>

[modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/ui-collect-machine-info.conf
[modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/logout.conf
[modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/ui-init-late.conf
[modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/login.conf

Project Member Comment 13 by bugdroid1@chromium.org, Sep 26 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/4b3ab91b776bb34d3103ef67870980cffa6fcc40

commit 4b3ab91b776bb34d3103ef67870980cffa6fcc40
Author: Ricky Zhou <rickyz@chromium.org>
Date: Thu Sep 22 00:15:01 2016

login: Prefer /run over /var/run.

/var lives on the stateful partition, while /run is a tmpfs. Normally,
/var/run is a symlink to /run, but if a device is compromised, the
contents of /var cannot be trusted.

BUG= chromium:649039 
TEST=Can boot/login with changes.

Change-Id: I06aa3491ad4897eecafe835611a0d837b22faef4
Reviewed-on: https://chromium-review.googlesource.com/388145
Commit-Ready: Ricky Zhou <rickyz@chromium.org>
Tested-by: Ricky Zhou <rickyz@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
(cherry picked from commit b2a678ec655825bcba58d7f8d51ad40bad33ed6e)
Reviewed-on: https://chromium-review.googlesource.com/389613
Reviewed-by: Ricky Zhou <rickyz@chromium.org>
Commit-Queue: Ricky Zhou <rickyz@chromium.org>

[modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/ui-collect-machine-info.conf
[modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/logout.conf
[modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/ui-init-late.conf
[modify] https://crrev.com/4b3ab91b776bb34d3103ef67870980cffa6fcc40/login_manager/init/login.conf

Project Member Comment 14 by bugdroid1@chromium.org, Sep 26 2016
Labels: merge-merged-release-R53-8530.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/04b268c92806faa4b066ccfbf4806eac3358d705

commit 04b268c92806faa4b066ccfbf4806eac3358d705
Author: Ricky Zhou <rickyz@chromium.org>
Date: Thu Sep 22 01:03:36 2016

init: Recreate /var/run and /var/lock symlinks on each boot.

Also adds some extra paranoid checks that certain stateful partition
paths are directories before changing their permissions/owners/groups.

BUG= chromium:649039 
TEST=Device boots.

Change-Id: I90ebdffe3b0c377ea8c9caaada4228f20d534833
Reviewed-on: https://chromium-review.googlesource.com/388067
Commit-Ready: Ricky Zhou <rickyz@chromium.org>
Tested-by: Ricky Zhou <rickyz@chromium.org>
Reviewed-by: Ricky Zhou <rickyz@chromium.org>
(cherry picked from commit 8d2a9d39b4e4fa51897fd67a02748273c15167ad)
Reviewed-on: https://chromium-review.googlesource.com/389611
Commit-Queue: Ricky Zhou <rickyz@chromium.org>

[modify] https://crrev.com/04b268c92806faa4b066ccfbf4806eac3358d705/init/chromeos_startup

Project Member Comment 15 by bugdroid1@chromium.org, Sep 26 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/0a5a3db7c5d2d85d070ecae86739dc42db478ce7

commit 0a5a3db7c5d2d85d070ecae86739dc42db478ce7
Author: Ricky Zhou <rickyz@chromium.org>
Date: Thu Sep 22 01:03:36 2016

init: Recreate /var/run and /var/lock symlinks on each boot.

Also adds some extra paranoid checks that certain stateful partition
paths are directories before changing their permissions/owners/groups.

BUG= chromium:649039 
TEST=Device boots.

Change-Id: I90ebdffe3b0c377ea8c9caaada4228f20d534833
Reviewed-on: https://chromium-review.googlesource.com/388067
Commit-Ready: Ricky Zhou <rickyz@chromium.org>
Tested-by: Ricky Zhou <rickyz@chromium.org>
Reviewed-by: Ricky Zhou <rickyz@chromium.org>
(cherry picked from commit 8d2a9d39b4e4fa51897fd67a02748273c15167ad)
Reviewed-on: https://chromium-review.googlesource.com/389614
Commit-Queue: Ricky Zhou <rickyz@chromium.org>

[modify] https://crrev.com/0a5a3db7c5d2d85d070ecae86739dc42db478ce7/init/chromeos_startup

Note: It looks like there's a systemd migration effort happening for some things (https://chromium-review.googlesource.com/378875).

We'll want to make sure those have the appropriate files.
Project Member Comment 17 by bugdroid1@chromium.org, Sep 26 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/4f9ee960841d2b5647524987b68e71f1b81e25a4

commit 4f9ee960841d2b5647524987b68e71f1b81e25a4
Author: Ricky Zhou <rickyz@chromium.org>
Date: Thu Sep 22 02:04:06 2016

cryptohome: Test for symlinks before copying attestation file.

BUG= chromium:649039 
TEST=Rebooted device with normal file vs. symlink.

Change-Id: I3a86d5bec4495f8a0dd9e038ab3278bd394517d8
Reviewed-on: https://chromium-review.googlesource.com/388186
Commit-Ready: Ricky Zhou <rickyz@chromium.org>
Tested-by: Ricky Zhou <rickyz@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/389651
Reviewed-by: Ricky Zhou <rickyz@chromium.org>
Commit-Queue: Ricky Zhou <rickyz@chromium.org>

[modify] https://crrev.com/4f9ee960841d2b5647524987b68e71f1b81e25a4/cryptohome/init/cryptohomed.conf

Project Member Comment 18 by bugdroid1@chromium.org, Sep 26 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/38429c4b904145b198abd7b7d1ca6a0fd2c89ca4

commit 38429c4b904145b198abd7b7d1ca6a0fd2c89ca4
Author: Ricky Zhou <rickyz@chromium.org>
Date: Thu Sep 22 02:04:06 2016

cryptohome: Test for symlinks before copying attestation file.

BUG= chromium:649039 
TEST=Rebooted device with normal file vs. symlink.

Change-Id: I3a86d5bec4495f8a0dd9e038ab3278bd394517d8
Reviewed-on: https://chromium-review.googlesource.com/388186
Commit-Ready: Ricky Zhou <rickyz@chromium.org>
Tested-by: Ricky Zhou <rickyz@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/389632
Reviewed-by: Ricky Zhou <rickyz@chromium.org>
Commit-Queue: Ricky Zhou <rickyz@chromium.org>

[modify] https://crrev.com/38429c4b904145b198abd7b7d1ca6a0fd2c89ca4/cryptohome/init/cryptohomed.conf

Project Member Comment 19 by sheriffbot@chromium.org, Sep 27 2016
Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Comment 20 by dimu@chromium.org, Sep 27 2016
Labels: -Merge-Request-54 Merge-Approved-54 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M54 (branch: 2840)
Project Member Comment 21 by sheriffbot@chromium.org, Sep 28 2016
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member Comment 22 by sheriffbot@chromium.org, Sep 30 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 23 by sheriffbot@chromium.org, Oct 3 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Approved-53 -Merge-Approved-54
Project Member Comment 25 by bugdroid1@chromium.org, Oct 14 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/611eef6d3e52a0600ccb58ada420fe5f3bcd6b15

commit 611eef6d3e52a0600ccb58ada420fe5f3bcd6b15
Author: Mike Frysinger <vapier@chromium.org>
Date: Mon Oct 10 21:44:35 2016

init: chromeos_startup: force /var/spool sanity too

A few services rely on /var/spool existing and being sane (like crash
reporting).  Add it to the initial set of /var checks.

BUG= chromium:649039 
TEST=device boots

Change-Id: I7b14994f29dbedbe1613fb0c6ef0c00a5ee1634e
Reviewed-on: https://chromium-review.googlesource.com/395689
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Ricky Zhou <rickyz@chromium.org>

[modify] https://crrev.com/611eef6d3e52a0600ccb58ada420fe5f3bcd6b15/init/chromeos_startup

Project Member Comment 26 by sheriffbot@chromium.org, Jan 3 2017
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Comment 27 by dchan@google.com, Jan 21 2017
Labels: VerifyIn-57
Labels: VerifyIn-58
Labels: VerifyIn-59
Labels: VerifyIn-60
Labels: VerifyIn-61
Sign in to add a comment