Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Owner:
Closed: May 19
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment
Security: chronos user local file read (ImageBurner)
Reported by r...@rorym.cnamara.com, Mar 16 Back to list
VULNERABILITY DETAILS
The chronos user can read any file on the local file system via the 'ImageBurner.BurnImage' dbus endpoint.

This issue was only tested under developer mode, but it appears an attacker (as chronos user) with access to dbus would be able to utilize this exploit.

VERSION
ChromeOS Version:
Toshiba Chromebook 2
Version 56.0.2924.110 (64-bit)
Platform 9000.91.0 (Official Build) stable-channel swanky
Firmware Google_Swanky.5216.238.5

REPRODUCTION CASE
A USB memory stick is required for exploitation. THIS MEMORY STICK WILL BE OVERWRITTEN/CORRUPTED.

Plug in the memory stick, use dmesg or similar to find the block device (e.g /dev/sda). Run the following dbus-send command, the first parameter being the file to read, the second being the previously found block device.

dbus-send --type=method_call --print-reply --system --dest=org.chromium.ImageBurner /org/chromium/ImageBurner org.chromium/ImageBurnerInterface.BurnImage string:"/etc/shadow" string:"/dev/sda"

Once the command has been executed, remove the USB device and plug it into another computer, on which it can be read as a raw device (i.e you have root and can 'cat /dev/sda'). It may be necessary to sync/shutdown the chromebook before removal to ensure the data is not cached.

According to [1], the chronos user has explicit access to this dbus endpoint.

Similar to  crbug.com/678365#c12  , this is a low impact bug as there is nothing particularly sensitive on disk, and furthermore an external disk is required, further decreasing risk/impact. However given the regular expressions in [2], it may be possible at some point to reimage one of the /dev/mmcblk[0-9]+ block devices for further exploitation. No interesting /dev/mmcblk[0-9]+ block devices are mounted at this time, that I could see.

[1] https://chromium.googlesource.com/chromiumos/platform2/+/master/image-burner/ImageBurner.conf
[2] https://chromium.googlesource.com/chromiumos/platform2/+/master/image-burner/image_burner_impl.cc#19
 
Components: OS>Kernel
Labels: Security_Severity-Low Security_Impact-Stable M-59
Owner: vapier@chromium.org
Status: Assigned
Labels: OS-Chrome
Apologies, there is a misplaced '/' in the dbus-send command. It should be a '.'. The correct command is below:

dbus-send --type=method_call --print-reply --system --dest=org.chromium.ImageBurner /org/chromium/ImageBurner org.chromium.ImageBurnerInterface.BurnImage string:"/etc/shadow" string:"/dev/sda"
Cc: vapier@chromium.org tbarzic@chromium.org
Owner: tbarzic@chromium.org
ImageBurner needs a bit of love in general wrt security/hardening.  it always runs as root currently and doesn't drop any perms or use namespaces/seccomp.

i'm not familiar with the chrome side to know what paths it sends over, but seems like it wouldn't be too hard to restrict ValidateSourcePath to a few locations and to run it as a different user in the chronos-access group.
Cc: benchan@chromium.org
Yeah, I think image burner need some more love in general, not just regarding security/hardening :/

I'll try to find some time for this...
Project Member Comment 7 by sheriffbot@chromium.org, Mar 17
Labels: Pri-2
Regarding the impact of this bug, I don't think it's entirely useless.

This exploit can be used to read /proc/*/maps and bypass ASLR for all processes (impact being non-chronos owned processes). You would still need another exploit to utilize this ASLR bypass.

I verified this by reading /proc/1/maps, which is not usually be readable by chronos, and observing the base addresses of all the memory regions.
As a first step, we can probably restrict the source path to be under one of the following parents, which should cover most of the potential locations we want to support:

  /home/chronos/user/Downloads/  - Download folder
  /home/chronos/user/GCache/     - Drive cache
  /media/archive/                - Mounted archive
  /media/removable/              - Mounted removable drive

I haven't looked into whether image-burner supports archives mounted by FSP, but I assume if it's supported, the cache location is different from the Drive cache location.

The second step is to properly contain image-burner within a minijail.

tbarzic@, I can help draft a quick CL for the first step.
Project Member Comment 10 by bugdroid1@chromium.org, Mar 22
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/58869eb415497afbb6266d13829be868ec39106f

commit 58869eb415497afbb6266d13829be868ec39106f
Author: Ben Chan <benchan@chromium.org>
Date: Wed Mar 22 08:43:57 2017

image-burner: restrict source path to allowed locations

This CL modifies image-burner to restrict the source path to be within a
few allowed locations from where the image file can be read.

BUG= chromium:702030 
TEST=Run unit tests.
TEST=Test burning a recovery image, from the following locations, to a
     USB drive on Chromebook via the Chromebook Recovery Utility and
     OnHub Recovery Utility app:
     - the Download folder
     - a Drive folder
     - a mounted zip file
     - another mounted USB drive

Change-Id: Id84204fc58978b5e924296c3f3bae8858cc32c22
Reviewed-on: https://chromium-review.googlesource.com/457403
Commit-Ready: Ben Chan <benchan@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Reviewed-by: Toni Barzic <tbarzic@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/58869eb415497afbb6266d13829be868ec39106f/image-burner/image_burner_utils.h
[modify] https://crrev.com/58869eb415497afbb6266d13829be868ec39106f/image-burner/image_burner_test_utils.h
[modify] https://crrev.com/58869eb415497afbb6266d13829be868ec39106f/image-burner/image_burner_impl.h
[modify] https://crrev.com/58869eb415497afbb6266d13829be868ec39106f/image-burner/image_burner_impl.cc
[modify] https://crrev.com/58869eb415497afbb6266d13829be868ec39106f/image-burner/image_burner_main.cc
[modify] https://crrev.com/58869eb415497afbb6266d13829be868ec39106f/image-burner/image_burner_impl_unittest.cc
[modify] https://crrev.com/58869eb415497afbb6266d13829be868ec39106f/image-burner/image_burner_utils_interfaces.h
[modify] https://crrev.com/58869eb415497afbb6266d13829be868ec39106f/image-burner/image_burner_utils.cc

benchan@ - any other changes expected or can this be marked as fixed?  Thanks!
Owner: benchan@chromium.org
Status: Started
Re: #11. I plan to land one more change to mitigate a race condition. Will upload it soon.
Project Member Comment 13 by bugdroid1@chromium.org, Apr 7
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/dbace9f4dca149e5b2a85cf92264063b7e1ec901

commit dbace9f4dca149e5b2a85cf92264063b7e1ec901
Author: Ben Chan <benchan@chromium.org>
Date: Fri Apr 07 07:17:44 2017

image-burner: avoid potential TOCTOU race in source path validation

This CL adds an additional check in image-burner to ensure that, after
verifying that the source path specifies an image file in an allowed
location (see CL:457403), the opened image file for reading refers to
the same path.

BUG= chromium:702030 
TEST=Run unit tests.
TEST=Test burning a recovery image, from the following locations, to a
     USB drive on Chromebook via the Chromebook Recovery Utility and
     OnHub Recovery Utility app:
     - the Download folder
     - a Drive folder
     - a mounted zip file
     - another mounted USB drive

Change-Id: I156685178a62773d51bc2b52caf873d0f069f49d
Reviewed-on: https://chromium-review.googlesource.com/468050
Commit-Ready: Ben Chan <benchan@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/dbace9f4dca149e5b2a85cf92264063b7e1ec901/image-burner/image_burner_utils.cc

Project Member Comment 14 by bugdroid1@chromium.org, Apr 7
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/f503382161a64873fa0a4214e90be7e991395816

commit f503382161a64873fa0a4214e90be7e991395816
Author: Ben Chan <benchan@chromium.org>
Date: Fri Apr 07 07:17:44 2017

image-burner: handle /home/chronos/u-<hash>/* in source path validation

CL:457403 added a simple check to verify that the source path is within
a few allowed locations from where the image file can be read. However,
the simple check didn't handle /home/chronos/u-<hash>/*, which is an
allowed location. This CL improves the check.

BUG= chromium:702030 
TEST=Run unit tests.
TEST=Test burning a recovery image, from the following locations, to a
     USB drive on Chromebook via the Chromebook Recovery Utility and
     OnHub Recovery Utility app:
     - the Download folder
     - a Drive folder
     - a mounted zip file
     - another mounted USB drive

Change-Id: Iaef0ce5bb586840b7bc9ec70360c55e7997b54da
Reviewed-on: https://chromium-review.googlesource.com/469233
Commit-Ready: Ben Chan <benchan@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Reviewed-by: Toni Barzic <tbarzic@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/f503382161a64873fa0a4214e90be7e991395816/image-burner/image_burner_impl.h
[modify] https://crrev.com/f503382161a64873fa0a4214e90be7e991395816/image-burner/image_burner_impl.cc
[modify] https://crrev.com/f503382161a64873fa0a4214e90be7e991395816/image-burner/image_burner_impl_unittest.cc

Project Member Comment 15 by bugdroid1@chromium.org, Apr 7
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/dbace9f4dca149e5b2a85cf92264063b7e1ec901

commit dbace9f4dca149e5b2a85cf92264063b7e1ec901
Author: Ben Chan <benchan@chromium.org>
Date: Fri Apr 07 07:17:44 2017

image-burner: avoid potential TOCTOU race in source path validation

This CL adds an additional check in image-burner to ensure that, after
verifying that the source path specifies an image file in an allowed
location (see CL:457403), the opened image file for reading refers to
the same path.

BUG= chromium:702030 
TEST=Run unit tests.
TEST=Test burning a recovery image, from the following locations, to a
     USB drive on Chromebook via the Chromebook Recovery Utility and
     OnHub Recovery Utility app:
     - the Download folder
     - a Drive folder
     - a mounted zip file
     - another mounted USB drive

Change-Id: I156685178a62773d51bc2b52caf873d0f069f49d
Reviewed-on: https://chromium-review.googlesource.com/468050
Commit-Ready: Ben Chan <benchan@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/dbace9f4dca149e5b2a85cf92264063b7e1ec901/image-burner/image_burner_utils.cc

Project Member Comment 16 by bugdroid1@chromium.org, Apr 7
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/f503382161a64873fa0a4214e90be7e991395816

commit f503382161a64873fa0a4214e90be7e991395816
Author: Ben Chan <benchan@chromium.org>
Date: Fri Apr 07 07:17:44 2017

image-burner: handle /home/chronos/u-<hash>/* in source path validation

CL:457403 added a simple check to verify that the source path is within
a few allowed locations from where the image file can be read. However,
the simple check didn't handle /home/chronos/u-<hash>/*, which is an
allowed location. This CL improves the check.

BUG= chromium:702030 
TEST=Run unit tests.
TEST=Test burning a recovery image, from the following locations, to a
     USB drive on Chromebook via the Chromebook Recovery Utility and
     OnHub Recovery Utility app:
     - the Download folder
     - a Drive folder
     - a mounted zip file
     - another mounted USB drive

Change-Id: Iaef0ce5bb586840b7bc9ec70360c55e7997b54da
Reviewed-on: https://chromium-review.googlesource.com/469233
Commit-Ready: Ben Chan <benchan@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Reviewed-by: Toni Barzic <tbarzic@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/f503382161a64873fa0a4214e90be7e991395816/image-burner/image_burner_impl.h
[modify] https://crrev.com/f503382161a64873fa0a4214e90be7e991395816/image-burner/image_burner_impl.cc
[modify] https://crrev.com/f503382161a64873fa0a4214e90be7e991395816/image-burner/image_burner_impl_unittest.cc

Status: Fixed
Project Member Comment 18 by sheriffbot@chromium.org, May 20
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Release-0-M59
Labels: CVE-2017-5084
Project Member Comment 21 by sheriffbot@chromium.org, Aug 26
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment