Microsoft has described a serious security issue in ChromeOS that one of its researchers reported to Google in late April.
The bug was quickly fixed and about a month later merged into ChromeOS code that was then released on June 15, 2022 and described by Redmond in a report released on Friday.
Microsoft’s description is noteworthy, both for the severity (9.8 out of 10) of the bug and for the script flipping – it’s mostly Google, specifically the Project Zero group, that draws attention to bugs in Microsoft software.
As far back as 2010, security researchers at Google made a habit of revealing bugs in Microsoft and third-party software after typically 90 days — even if no patch had been released — to force companies to respond to security flaws. fast.
Microsoft has reprimanded Google for this several times over the years, but as far back as 2011, Redmond showed a willingness to adapt with a revised security disclosure policy that arrived with Chrome vulnerabilities — albeit months after Google fixed them.
Microsoft’s disclosure of ChromeOS’s critical flaw isn’t a zero-day since Google made the necessary fixes. But it allows the Windows giant to magnaniously point out the problems in a competitor’s hardened code and pat Google on the back for its quick fixes.
A critical issue
The ChromeOS memory corruption vulnerability – CVE-2022-2587 – was particularly serious. As Jonathan Bar Or, a member of the Microsoft 365 Defender research team, explains in his post, the problem arises from using D-Bus, an Inter-Process-Communication (IPC) mechanism used in Linux.
A D-Bus service called
org.chromium.cras (for ChromiumOS Audio Server) provides a way to route audio to newly added peripherals such as USB speakers and Bluetooth headsets. The service includes a feature called
SetPlayerIdentity, which accepts a string argument called identity as input. And the C code of the function calls to:
strcpy in the standard library. Yes,
strcpywhich is a dangerous position.
“For the experienced security engineer, the mention of the”
strcpy feature immediately raises red flags,” explains Jonathan Bar Or
strcpy This feature is known to cause several memory corruption vulnerabilities as it does not perform boundary checks and is therefore considered insecure.
“Because there are no boundary checks on the user-specified identity argument before it is called
strcpy (in addition to the default message length limitations for D-Bus messages), we were confident that we could trigger a heap-based buffer overflow, creating a memory corruption vulnerability.”
From the command line, a heap-based buffer overflow can be achieved by simply passing a string of 200 characters to the
dbus-send utility. And with a little more effort, it was determined that the song’s metadata, via the
MediaSessionMetadataChanged method, can trigger the bug remotely via browser or Bluetooth.
Bar Or admits that while turning this bug into a remote code execution exploit requires heap grooming and chaining with other vulnerabilities, it’s dangerous enough to warrant Google’s quick response.
“We were impressed with the speed of the repair and the effectiveness of the overall process,” he said.
“Within a week, the code was captured and, after several merges, made generally available to users. We thank the Google team and the Chromium community for their efforts to address the issue.”
Bar Or has already received a thank you from Google’s Vulnerability Rewards Program, which awarded him $25,000 in June for responsible disclosure of the bug. ®