New issue
Advanced search Search tips

Issue 818135 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security

Blocking:
issue 817920



Sign in to add a comment

Potential root privilege escalation via debugd

Project Member Reported by mnissler@chromium.org, Mar 2 2018

Issue description

Spin-off from  issue 817920 :

There is a missing \ character in capture_utility.sh [6] which causes the value of ht_location to be executed. This binary can be called via debugd's dbus interface [7] by any user [8], regardless of whether or not the machine is in dev mode. The injection forces the executed binary to have the following 3 arguments: "!= below ]". If the executed binary is 'vi', execution will not fail, after which the vi ':!' command can be used to execute an external command as root. This has been automated and attached in the script privesc.sh.

When executed from crosh this script will return an interactive root shell.
 
Owner: mnissler@chromium.org
Status: Started (was: Unconfirmed)
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 2 2018

Labels: M-64
Project Member

Comment 4 by sheriffbot@chromium.org, Mar 2 2018

Labels: Pri-1
Project Member

Comment 5 by bugdroid1@chromium.org, Mar 5 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/09bcd233c57a5d7b4435935a5e5ad90c06061d1d

commit 09bcd233c57a5d7b4435935a5e5ad90c06061d1d
Author: Mattias Nissler <mnissler@chromium.org>
Date: Mon Mar 05 15:08:06 2018

debugd: Fix command injection in capture_utility.sh

Due to an incorrectly broken line in a conditional, the --ht-location
parameter could be abused for command injection

BUG= chromium:818135 
TEST=Manual

Change-Id: I795077dced66696354038fc79d37f521575de08f
Reviewed-on: https://chromium-review.googlesource.com/945914
Commit-Ready: Mattias Nissler <mnissler@chromium.org>
Tested-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/09bcd233c57a5d7b4435935a5e5ad90c06061d1d/debugd/src/helpers/capture_utility.sh

Status: Fixed (was: Started)
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 6 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 8 by sheriffbot@chromium.org, Mar 27 2018

Labels: -M-64 M-65
Components: OS>Systems
Labels: reward-topanel
Project Member

Comment 11 by sheriffbot@chromium.org, Jun 12 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -reward-topanel

Sign in to add a comment