My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 52682: Sandbox IPC out-of-bounds write in CrossCallParamsEx::CreateFromBuffer
2 people starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  ----
Closed:  Aug 2010
Cc:  rvargas@chromium.org, nsylv...@chromium.org, cpu@chromium.org
M-6

Restricted
  • Only users with EditIssue permission may comment.


Sign in to add a comment
 
Project Member Reported by cpu@chromium.org, Aug 18, 2010
It is a variation of  bug 32915  which we overlooked at that time.

Credits to Adobe's security team for the find.

In crosscall_server.cc CrossCallParamsEx::CreateFromBuffer


GetActualBufferSize(param_count, buffer_base) returns an untrusted value which we check to be not too big and not zero, but it can be set to a small value.

This causes problems because we overlay (via placement new) an object of type CrossCallParamsEx on memory of a size that can be smaller than sizeof(CrossCallParamsEx).

Then 1) the default ctor of CrossCallParamsEx will write zeros outside the allocated memory, corrupting nearby heap allocation.

In all likelihood the set of tests in the following loop fail and cause the early exit.

for (size_t ix =0; ix != param_count; ++ix) {
  address = copied_params->GetRawParameter(..)
  if ((address < ..) ||
      (address > ..) ... || ..) {
     // Malformed
     return NULL;
  }
}

The belief here is based on the fact that GetRawParameter(..) now points to random memory on the heap that is not *directly* attacker controlled. So whatever this memory is needs to 1) make some sense and 2) be useful for an attack.

Seems hard but we have seem crazy feats, in particular the heap might contain previous IPC values.







Aug 19, 2010
#1 scarybea...@gmail.com
(No comment was entered for this change.)
Labels: SecSeverity-High Mstone-6 ReleaseBlock-Stable
Aug 19, 2010
#2 kerz@chromium.org
How long on a fix for the branch? 
Aug 19, 2010
#3 bugdroid1@gmail.com
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=56796 

------------------------------------------------------------------------
r56796 | cpu@chromium.org | 2010-08-19 18:06:17 -0700 (Thu, 19 Aug 2010) | 7 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/crosscall_params.h?r1=56796&r2=56795
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/crosscall_server.cc?r1=56796&r2=56795
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/ipc_unittest.cc?r1=56796&r2=56795

Sbox IPC fix

BUG=52682
TEST=included


Review URL: http://codereview.chromium.org/3142022
------------------------------------------------------------------------

Aug 19, 2010
#4 bugdroid1@gmail.com
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=56798 

------------------------------------------------------------------------
r56798 | cpu@chromium.org | 2010-08-19 18:27:20 -0700 (Thu, 19 Aug 2010) | 12 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/crosscall_params.h?r1=56798&r2=56797
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/crosscall_server.cc?r1=56798&r2=56797
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/ipc_unittest.cc?r1=56798&r2=56797

Revert 56796 - Sbox IPC fix

Tests failing on vista 

BUG=52682
TEST=included


Review URL: http://codereview.chromium.org/3142022

TBR=cpu@chromium.org
Review URL: http://codereview.chromium.org/3122031
------------------------------------------------------------------------

Aug 20, 2010
#5 bugdroid1@gmail.com
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=56938 

------------------------------------------------------------------------
r56938 | cpu@chromium.org | 2010-08-20 16:31:45 -0700 (Fri, 20 Aug 2010) | 11 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/crosscall_params.h?r1=56938&r2=56937
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/crosscall_server.cc?r1=56938&r2=56937
   M http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/ipc_unittest.cc?r1=56938&r2=56937

Sbox IPC fix

Second take, I had off-by-one bad check in line 164

for more info see review 3142022

BUG=52682
TEST=included


Review URL: http://codereview.chromium.org/3130037
------------------------------------------------------------------------

Aug 20, 2010
#6 bugdroid1@gmail.com
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=56972 

------------------------------------------------------------------------
r56972 | mal@chromium.org | 2010-08-20 19:33:51 -0700 (Fri, 20 Aug 2010) | 14 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/472/src/sandbox/src/crosscall_params.h?r1=56972&r2=56971
   M http://src.chromium.org/viewvc/chrome/branches/472/src/sandbox/src/crosscall_server.cc?r1=56972&r2=56971
   M http://src.chromium.org/viewvc/chrome/branches/472/src/sandbox/src/ipc_unittest.cc?r1=56972&r2=56971

Merge 56938 - Sbox IPC fix

Second take, I had off-by-one bad check in line 164

for more info see review 3142022

BUG=52682
TEST=included


Review URL: http://codereview.chromium.org/3130037

TBR=cpu@chromium.org
Review URL: http://codereview.chromium.org/3135041
------------------------------------------------------------------------

Aug 20, 2010
#7 mal@google.com
Fix is on the Chrome 6 branch now.
Status: FixUnreleased
Labels: -Area-Undefined Area-Internals
Aug 20, 2010
#8 infe...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Aug 23, 2010
#9 scarybea...@gmail.com
Thanks all for getting this fixed so quickly.
Cc: c...@chromium.org
Aug 25, 2010
#10 scarybea...@gmail.com
Copying in the original high-quality report:
---

Bug Title: Exploitable write buffer overflow while handling a cross-call in CrossCallParamsEx::CreateFromBuffer( ); this can potentially be used to escape the sandbox.


Description:
There is insufficient validation of the cross-call parameters in CrossCallParamsEx::CreateFromBuffer() [src\sandbox\src\crosscall_server.cc] that allows the sandbox to cause a heap buffer overflow in the broker. This may be used to escape the sandbox by corrupting adjoining heap memory.

The bug is in the following section of the code:
   actual_size = GetActualBufferSize(param_count, buffer_base);
   if ((actual_size > buffer_size) || (0 == actual_size)) {
     // It is too big or too many declared parameters.
     return NULL;
   }
   // Now we copy the actual amount of the message.
   actual_size += sizeof(ParamInfo);  // To get the last offset.
   *output_size = actual_size;
   backing_mem = new char[actual_size];
   memset(backing_mem, 0, actual_size);
   copied_params = new(backing_mem)CrossCallParamsEx();

GetActualBufferSize() returns param_info_[NUMBER_PARAMS].offset_ (which is attacker controlled) and can be some small value like 1. After adding 0xc bytes for ParamInfo, actual_size = 0xd. The allocated backing_mem is of this size.
Calling the placement new constructor CrossCallParamsEx( ) [which is of size 0x4c] will overwrite past the allocated size (0xd) into offset 0x3C etc.
In case this causes an access-violation, the __except( ) would catch it. More serious would be the corruption of adjoining memory areas, which could help an exploit running in the sandbox in getting additional access and/or breaking out of the sandbox.

More details
------------
(Note that the traces are from our private builds and may differ)

faulting instruction:
eax=00000000 ebx=03570134 ecx=00000000 edx=00000000 esi=0304bff0 edi=0000000d
eip=00420fe1 esp=03bafbf8 ebp=03bafc34 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
sandbox::CrossCallParamsEx::CreateFromBuffer+0xc1:
00420fe1 89463c          mov     dword ptr [esi+3Ch],eax ds:0023:0304c02c=????????

backtrace:
ChildEBP RetAddr  Args to Child
03bafc34 0041c383 03570134 00020000 03bafd94 sandbox::CrossCallParamsEx::CreateFromBuffer+0xc1
03bafd9c 0041c5e1 034f6fd8 03570134 03bafe54 sandbox::SharedMemIPCServer::InvokeCallback+0x33
03bafe8c 7c927e91 034f6fd8 031a8f00 031a8fc0 sandbox::SharedMemIPCServer::ThreadPingEventReady+0xf1

!exploitable output:
"Exploitable - User Mode Write AV starting at sandbox::CrossCallParamsEx::CreateFromBuffer+0x00000000000000c1 (Hash=0x6e243d59.0x19765f60)".
Aug 26, 2010
#11 scarybea...@gmail.com
This qualifies for a $1000 Chromium Security Reward because of the severity (high) and great detail in the e-mail report.
The original reporters of the bug are not on the cc: so I'll tell them on the e-mail thread.
Labels: reward-1000 reward-unpaid
Sep 18, 2010
#12 scarybea...@gmail.com
(No comment was entered for this change.)
Status: Fixed
Labels: -Restrict-View-SecurityNotify
Dec 2, 2010
#13 scarybea...@gmail.com
Ashutosh's half of the payment is in the electronic system.
Dec 19, 2010
#14 scarybea...@gmail.com
Vineet's half of the payment is in the electronic system. Marking this bug as fully paid.
Labels: -reward-unpaid
Mar 21, 2011
#15 jsc...@chromium.org
(No comment was entered for this change.)
Labels: Type-Security
Oct 4, 2011
#16 jsc...@chromium.org
Batch update.
Labels: SecImpacts-Stable
Oct 13, 2012
#17 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Owner: ---
Labels: Restrict-AddIssueComment-Commit
Mar 9, 2013
#18 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Area-Internals -SecSeverity-High -Mstone-6 -Type-Security -SecImpacts-Stable Security-Impact-Stable M-6 Cr-Internals Security-Severity-High Type-Bug-Security
Mar 13, 2013
#19 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Mar 21, 2013
#20 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Severity-High Security_Severity-High
Mar 21, 2013
#21 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Stable Security_Impact-Stable
Sign in to add a comment

Powered by Google Project Hosting