Security: Chrome ᴏꜱ infinite loop in readdir() in node.c cause mount.exfat-fuse to fill the encrypted filesystem
Reported by
lael.cel...@gmail.com,
May 15 2017
|
|||||||||
Issue descriptionATTACK SCENARIO This kind of vulnerability is best suited for targeting a single person since an exploit can only work on a single vendor firmware, but here’s the steps : An ꜱᴅ card is dropped on a car park. Preferably a large ꜱᴅ card (1Tb) in it’s vendor plastic and it’s several hundred dollars price on it. As soon as the user open the root directory listing, nothing appends but an ask for waiting. But as he/she waits the content of the ꜱᴅ card to show up /var/log starts to fill the whole encrypted partition which is the same as home directories. A first looks, this looks to be a denial of service, except if we consider that the user who don’t known what command line interface is will quickly follow the official documentation https://www.chromium.org/chromium-os/poking-around-your-chrome-os-device#TOC-Putting-your-Chrome-OS-Device-into-Developer-Mode which states that disabling rootꜰꜱ verification is required to put the device in developper mode which would leverage other file systems vulnerabilities for installing a persistence exploit by simply not dealing with rootfs verification (if rootfs verification no longer works after being turned back on, the user would ignore it and turn it off again). VULNERABILITY DETAILS It seemsrc = read_entries(ef, parent, &entry, 1, *offset); in libexfat in node.c fetch the current entry filling that /var/log/message The vulnerability is fixed upstream, see the patch VERSION All versions starting since R26 REPRODUCTION CASE For partical purposes, I didn’t put the problem inside the root directory, so just open '/..R' and wait the directory to show up.
,
May 15 2017
,
May 16 2017
Not a security vulnerability due to developer mode need and DoS only. https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Are-denial-of-service-issues-considered-security-bugs-
,
May 16 2017
,
May 16 2017
,
May 17 2017
,
May 17 2017
,
Jun 6 2017
,
Jan 22 2018
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by elawrence@chromium.org
, May 15 2017