Microsoft finds a critical flaw in an operating system that, for once, isn’t Windows. The vulnerability was discovered in ChromeOS and has a severity rating of 9.8 out of 10


Microsoft released technical details last Friday of a critical vulnerability in ChromeOS that could be exploited for denial-of-service (DoS) attacks and – in limited cases – remote code execution. Identified as CVE-2022-2587 (with a CVSS score of 9.8) and described as an out-of-bounds write, the vulnerability was addressed with a patch release in June. The problem has been identified in the CRAS (ChromiumOS Audio Server) component, and could be triggered by manipulating metadata associated with audio files.

ChromeOS is Google’s proprietary operating system. It is based on the open source ChromiumOS operating system, itself based on Linux. ChromeOS is considered safe compared to older Windows and macOS systems. But even the most robust operating systems can contain security bugs, as evidenced by Microsoft’s recent discovery. In a detailed blog post about the vulnerability, Microsoft said the bug was spotted by Jonathan Bar Or, one of the security researchers on its Microsoft 365 Defender Research team, in late April and immediately reported to Google.

The problem stems from the use of D-Bus, an interprocess communication (IPC) mechanism used in Linux. A D-Bus call service org.chromium.cras Allows audio to be routed to recently added devices, such as USB speakers and Bluetooth headsets. This service includes a function called SetPlayerIdentitywhich accepts as input a string of characters called identity. And the C code of the function calls strcpy() in the standard library. As a reminder, the function strcpy() allows you to copy the contents of one character string to another.


Vulnerable function with strcpy invocation in it

However, many consider that using the function strcpy() is dangerous. For example, using this function to copy a large character array to a smaller one would be dangerous, but if the character string holds, the risk isn’t worth it. If the destination string is not large enough to store the source string, then the behavior of the function strcpy() is unspecified or undefined. For the experienced safety engineer, the mention of the function strcpy() immediately triggers red flags,” Jonathan explains in the blog post.

Function strcpy() is known to cause various memory corruption vulnerabilities since it performs no boundary checking and is therefore considered unsafe. Since there is no bounds check on the argument identity provided by the user before invoking strcpy() (besides the default message length limits for D-Bus messages), we were sure we could trigger a heap-based buffer overflow, thus triggering a memory corruption vulnerability, he added. According to him, the flaw could be easily exploited by a malicious actor.

From the command line, a heap-based buffer overflow can be achieved simply by passing a 200-character string to the utility dbus-send. And with a little more effort, it was determined that the song metadata, passed to CRAS’ audio processing component via the MediaSessionMetadataChanged, could trigger the bug remotely via a browser or Bluetooth. However, Microsoft notes that turning this bug into a remote code execution exploit would require heap grooming and chaining with other vulnerabilities.

The impact of heap-based buffer overflow ranges from simple DoS to full RCE. While it is possible to allocate and free chunks through manipulation of media metadata, performing accurate heap cleanup is not trivial in this case and attackers should chain the exploited along with other vulnerabilities to successfully execute arbitrary code,” the blog post explains. However, the vulnerability appears to be dangerous enough to warrant Google’s quick response. Jonathan said his team was surprised by how quickly Google fixed the bug.


Call tree showing how browser or Bluetooth media metadata changes ultimately trigger the vulnerable feature

We were impressed with the speed of the fix and the efficiency of the whole process. In less than a week, the code was fixed and, after several merges, made generally available to users. We thank the Google team and the Chromium community for their efforts in resolving this issue,” he said. Jonathan received acknowledgments from Google’s vulnerability rewards program, which in June awarded him $25,000 for responsible disclosure of the bug. Microsoft has not found any indicators that the bug has been exploited in attacks.

Furthermore, Microsoft’s report is remarkable both for the severity (9.8 out of 10) of the vulnerability and for the reversal of the scenario. It is usually Google, especially its Project Zero group, that draws attention to bugs in Microsoft software, especially bugs in the Windows operating system. According to analysts, as early as 2010, security researchers at Google made a habit of disclosing software bugs from Microsoft and other vendors after 90 days, even if a fix has not been released, in order to companies to react more quickly to security breaches.

Microsoft is said to have berated Google about it several times over the years, although as early as 2011 the Redmond firm showed willingness to adapt by revising its security vulnerability disclosure policy. This critical flaw in ChromeOS is not a zero-day vulnerability since Google has made the necessary fixes. But the disclosure allows Microsoft to magnanimously point out problems with a competitor’s hardened code and commend Google for its quick fixes.

Source: Microsoft

And you?

What is your opinion on the subject?
What do you think of this critical ChromeOS vulnerability?
What do you think of the caveats about the C language strcpy() function?
Have you ever encountered any bugs related to the use of this function in your applications?

See as well

Steam for Chrome OS is officially coming to 7 Chromebooks as an alpha release and plays at least 50 games, but not on low-end Chromebooks

Google backs Linux project to make Android and Chrome OS harder to hack, while pushing for use of Rust in kernel code

Chromebook demand plummets as pandemic subsides, TrendForce report says

Google is pushing developers to adapt Android apps to Chromebooks, the number of users of Android apps on Chromebooks has increased by 50% year over year

Leave a Comment