Issue metadata
Sign in to add a comment
|
Security: crosh shell sandbox escape
Reported by
r...@rorym.cnamara.com,
Jan 2 2017
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
It was found possible to break out of the crosh shell sandbox given the ability to plug in a prepared USB stick. Full
command execution was obtained, with commands persisting for the lifetime of the user's session, including when the
machine was locked. It was not possible for a command to persist after the user had logged out. All commands were run as
the 'chronos' user.
VERSION
Chrome Version:
Toshiba Chromebook 2
Version 55.0.2883.103 (64-bit)
Platform 8872.73.0 (Official Build) stable-channel swanky
Firmware Google_Swanky.5216.238.5
REPRODUCTION CASE
With a removable disk formatted as ext4, create a symlink from /home/chronos/user/.toprc to a usable file on the disk,
i.e top.rc
This path was obtained by opening the crosh terminal (Ctrl+Alt+T), running top and pressing W, which shows
the output "Wrote configuration to /home/chronos/user/.toprc". A valid copy of the file was obtained from running this
command with developer mode enabled, and reading out the file, but it would be possible to open the crafted link in
browser to copy the file contents. When the removable disk is plugged in, the symlink does not show in the Files
browser, so it is necessary to have another file on the disk which can be opened in the browser, for which the Location
bar address can be modified to open the symlinked file. (i.e open index.html, replace index.html in the address bar with
top.rc)
With the obtained copy of .toprc, append the following line, separated by real tab characters between pipe, hack, and /bin/bash:
pipe hack /bin/bash -c 'reset; exec /bin/bash 2>&1'
Put this file on the removable disk as well. Any name will be fine as long as it does not conflict with the symlink
already created. The specific command is not particularly important, but this example creates a usable shell inside the
top environment (top does not expect long running processes so output is buffered, except stderr).
Plug in the removable disk and open the modified toprc file, if necessary drag the file to an open browser window. Right
click and save as, and specify the path to overwrite the symlink (i.e filename top.rc, type All files). Save the file.
The popup notification for file downloads should show 1 B saved. The overwrite can be confirmed by opening up the
symlink file (i.e top.rc ) in the browser and verifying that the contents match the modified version.
Now open the crosh terminal, run top and press Y. You should see 'inspect at PID [default pid = xxxx]'. Press enter, it
does not matter what the pid is. On the next page, the 'hack' tab should be seen. Press enter again to select it and you
should be dropped into a shell.
The attached screenshot shows bash running inside the crosh shell, with cros_debug set to 0 (indicating that we're not
using dev mode).
The following shell output shows the prepared USB stick:
[rory@nixos:~/disk]$ ls -l top.rc exploit_top.rc
-rw-r--r-- 1 rory users 906 Jan 2 13:27 exploit_top.rc
lrwxrwxrwx 1 rory users 25 Jan 2 13:39 top.rc -> /home/chronos/user/.toprc
[rory@nixos:~/disk]$ cat exploit_top.rc
top's Config File (Linux processes with windows)
Id:h, Mode_altscr=0, Mode_irixps=1, Delay_time=3.0, Curwin=0
Def fieldscur=ķ')*+,-./012568<>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
winflags=193844, sortindx=18, maxtasks=0
summclr=1, msgsclr=1, headclr=3, taskclr=1
Job fieldscur=Ļ)*+,-./012568>?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
winflags=193844, sortindx=0, maxtasks=0
summclr=6, msgsclr=6, headclr=7, taskclr=6
Mem fieldscur='()*+,-./0125689BFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
winflags=193844, sortindx=21, maxtasks=0
summclr=5, msgsclr=5, headclr=4, taskclr=5
Usr fieldscur=)+,-./1234568;<=>?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
winflags=193844, sortindx=3, maxtasks=0
summclr=3, msgsclr=3, headclr=2, taskclr=3
Fixed_widest=0, Summ_mscale=0, Task_mscale=0, Zero_suppress=0
pipe hack /bin/bash -c 'reset; exec /bin/bash 1>&2'
,
Jan 2 2017
Thanks for the report. rickyz@: Are you able to triage this?
,
Jan 3 2017
I just repro'd on M57. Some notes: 1. You'll need to give the symlink a file extension. I was trying first with a bare toprc file name for the symlink but that led to "Save as" adding an implicit ".txt" suffix, so a file named "toprc.txt" was created instead of the write going through the symlink. 2. Make sure the USB drive file system is writable for chronos. 3. The redirection should redirect stdout to stderr, i.e. 1>&2. This is correct in the exploit_top.rc listing, but not in the description. Regarding security implications, I'm setting medium severity as this is useful to gain arbitrary code execution as a local user (which shouldn't happen in verified mode). This is potentially useful to attack other Chrome OS users by manipulating chronos-writable state on disk. There is no known/obvious remote vector to invoke the privilege escalation, so severity/impact are limited. Regarding response, I think we have several things to tackle: 1. Command execution via top: top shouldn't execute any external commands. 2. Arbitrary file access via symlinks: Symlinks in an accessible FS location (such as storage media, /home/chronos/user/Downloads) allow access to FS locations intended to be non-accessible. I'll file separate bugs for these. rickyz@ is no longer with the team, and I'll soon disappear on paternity leave, so I'll tentatively re-assign this to vapier@ who knows this stuff and can find suitable owners for the individual mitigation work bugs. Adding dskaram@ FYI for enterprise/EDU since this exploit may be used to circumvent enterprise user policy.
,
Jan 3 2017
,
Jan 3 2017
,
Jan 3 2017
,
Jan 3 2017
,
Jan 3 2017
this is missing the step of being able to actually set up the .toprc symlink in the first place in /home/chronos/. so you'd need an existing exploit that can create arbitrary symlinks in the filesystem first. i'm not seeing that step listed in the summary anywhere (and creating the symlink in dev mode doesn't count).
,
Jan 3 2017
I used a USB stick formatted with ext4 with an absolute symlink to /home/chronos/user/.toprc in the root of the filesystem.
,
Jan 3 2017
ok, thanks for clarifying for me
,
Jan 4 2017
,
Jan 4 2017
I've just noticed that the exploit rc file can be minimized to just top's Config File (Linux processes with windows) pipe hack /bin/bash -c 'reset; exec /bin/bash 1>&2' which makes it more universal and you don't have to make the extra round trip to use the auto-generated .toprc
,
Jan 5 2017
,
Jan 18 2017
vapier: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 20 2017
,
Feb 1 2017
vapier: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 1 2017
Mike?
,
Feb 1 2017
afaik, mnissler@ was using this as a tracker bug and the issues were being handled in the blocked-on bugs. so we weren't doing any direct work here.
,
Feb 1 2017
,
Feb 1 2017
Is it possible for me to have read access to the two blocked-on bugs? I'm interested in keeping track of the fixes.
,
Feb 1 2017
the crosh fixes are in M56+ now ( issue 677934 ), so that one's not interesting i've cc-ed you on the other one though
,
Feb 1 2017
Thanks
,
Mar 10 2017
,
Apr 20 2017
,
May 5 2017
Closing this here since it is being tracked with blocking bugs.
,
Jul 14 2017
Does this combination of bugs qualify for the Bug Bounty program?
,
Aug 12 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 16 2017
i don't have any insight into the bug bounty. maybe Jorge knows the contacts.
,
Aug 16 2017
Andrew is our VRP contact.
,
Aug 17 2017
Yep, the reward panel should certainly consider these bugs. It will go up to the panel in a few weeks.
,
Aug 17 2017
,
Sep 7 2017
Apologies if this is already under control, but it looks like this issue was automatically marked ineligible (possibly because it's WontFix Blocked On?). Is this a decision made by the panel or changed in error?
,
Sep 7 2017
Andrew can confirm what happened here.
,
Sep 8 2017
Ahh, drat - yea, I forgot sheriffbot would try to be quite so "helpful" :-) I've added reward-topanel to both of the blocking issues instead. Thanks for spotting!
,
Sep 26 2017
,
Jan 22 2018
,
Jun 21 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by r...@rorym.cnamara.com
, Jan 2 2017