Microsoft details critical vulnerability in ChromeOS • The Register
Microsoft has described a serious ChromeOS security vulnerability that one of its researchers reported to Google in late April.
The bug was quickly patched and, about a month later, merged into ChromeOS code then released on June 15, 2022 and detailed by Redmond in a report released on Friday.
Microsoft’s writing is notable for both the severity (9.8 out of 10) of the bug and for the script’s reversal – it’s usually Google, particularly its Project Zero group, that draws attention to bugs in Microsoft software.
As early as 2010 at least, security researchers at Google had made a habit of disclosing bugs in software from Microsoft and other vendors after typically 90 days – even if a patch had not been released – in the interest to force companies to react more to security breaches. rapidly.
Microsoft has chastised Google about this many times over the years, although as early as 2011 Redmond showed willingness to adapt with a revised security disclosure policy that came with information about Chrome vulnerabilities, although only months after Google fixed them.
Microsoft’s disclosure of the critical ChromeOS flaw is not zero day since Google has made the necessary fixes. But it does allow the Windows giant to magnanimously point out problems with a competitor’s hardened code and praise Google for its quick fixes.
A critical problem
The ChromeOS memory corruption vulnerability – CVE-2022-2587 – was particularly serious. As Microsoft 365 Defender research team member Jonathan Bar Or explains in his article, the issue stems from the use of D-Bus, an inter-process communication (IPC) mechanism used in Linux.
A D-Bus service called
org.chromium.cras (for ChromiumOS Audio Server) provides a way to route audio to newly added devices such as USB speakers and Bluetooth headsets. The service includes a feature called
SetPlayerIdentity, which accepts a string argument called identity as input. And the C code of the function calls
strcpy in the standard library. Yes,
strcpywhich is a dangerous function.
“To the experienced safety engineer, the mention of the
strcpy function immediately triggers red flags,” explains Jonathan Bar Or. “The
strcpy The feature is known to cause various memory corruption vulnerabilities because it does not perform any boundary checking and is therefore considered unsafe.
“Since there are no bounds checks on the identity argument supplied by the user before invoking
strcpy (in addition to the default message length limitations for D-Bus messages), we were confident that we could trigger a heap-based buffer overflow, thus triggering a memory corruption vulnerability.”
From the command line, a heap-based buffer overflow can be achieved simply by passing a 200-character string to the
dbus-send utility. And with a little more effort, it was determined that the song’s metadata, passed to the CRAS audio management component via the
MediaSessionMetadataChanged method, could trigger the bug remotely via browser or Bluetooth.
Bar Or admits that while turning this bug into a remote code execution exploit would require heap grooming and chaining with other vulnerabilities, it’s dangerous enough to warrant Google’s quick response.
“We were impressed with the speed of the fix and the efficiency of the overall process,” he said.
“In less than a week, the code was validated and, after several merges, made available to users. We thank the Google team and the Chromium community for their efforts to resolve the issue.”
Bar Or has already been thanked by Google’s Vulnerability Rewards Program, which in June awarded him $25,000 for responsible disclosure of the bug. ®