How Microsoft Discovered a Critical Flaw in ChromeOS, Fixed by Google

ChromeOS is considered safe compared to older Windows and macOS systems, but Microsoft recently discovered a nasty remotely exploitable bug in ChromeOS’s audio server, with a severity score of 9.8 out of 10.

ChromeOS is Google’s proprietary operating system based on the open-source ChromiumOS system, itself based on Linux. Microsoft security researcher Jonathan Bar Or discovered the bug in ChromiumOS Audio Server (CRAS), a service that routes sound to devices such as USB speakers and Bluetooth headsets.

Jonathan Bar Or discovered a local memory corruption issue that could be triggered remotely by manipulating audio metadata, either in the browser or via Bluetooth.

“Attackers could have tricked users into fulfilling these conditions, such as by simply playing a new song in a browser or from a paired Bluetooth device, or exploiting adversary-in-the-middle (AiTM ) to exploit the vulnerability remotely,” he explains in a blog post.

Reporting in April, correction in June

Microsoft reported the issue to Google in April. Google assigned bug CVE-2022-2587 and released a fix in mid-June, but was already working on fixes within a week of reporting the issue. Google described it as a high-severity flaw due to out-of-bounds writing in CRAS.

Gold examined ChromeOS for issues similar to the D-Bus bugs he discovered while scanning Linux earlier this year.

ChromeOS, being Linux-based, could also be vulnerable to similar bugs. But, he notes, ChromeOS typically requires an attacker to string together multiple vulnerabilities due to Google’s proprietary hardening measures. The vulnerabilities discovered are therefore fewer than in Windows or MacOS.

The Audio Server bug was a ChromeOS-specific memory corruption vulnerability, which Jonathan Bar Or discovered after inspecting the handler function called “SetPlayerIdentity”, which called the C library function”[strcpy]”.

“For the experienced security engineer, the mention of the strcpy function immediately raises red flags,” notes Jonathan Bar Or. limit control and is therefore considered unsafe. Since there are no bounds checks on the user supplied identity argument before invoking strcpy (besides the default message length bounds for D-Bus messages), we were sure to being able to trigger a heap-based buffer overflow, thereby triggering a memory corruption vulnerability. »

A quick answer

Heap-based buffer overflows can lead to arbitrary code execution, but to make the attack more dangerous, he needed a way to trigger it remotely, which he discovered by modifying the audio metadata. This can be done via the browser when a new song is playing, or via Bluetooth when a new song is playing from a paired Bluetooth device. The vulnerable function is cras_bt_player_update_identity.

Jonathan Bar Or praised Google for being quick to resolve the issue after it was reported. He notes that, while not easy to exploit, its impact on a ChromeOS device – which could include old Macs and PCs – warranted such a response from Google.

“We were impressed with the speed of the remediation and the efficiency of the overall process. In less than a week, the code was validated and, after several merges, made available to users. We thank the Google team and the Chromium community for their efforts to resolve this issue,” writes Jonathan Bar Or.


Leave a Comment