Google Chrome/ChromeOS bug – 189250

http://googlechromereleases.blogspot.in/2013/04/chrome-os-stable-channel-update.html
    [189250] High CVE-2013-0927: Unsafe config option loading in Pango. Credit to Pinkie Pie.
   
http://www.scip.ch/en/?vuldb.8422

The changes are in ChromeOS’s x11-libs/Pango library.

You can read the vulnerable code in this location:
    https://git.gnome.org/browse/pango/tree/pango/pango-utils.c

static void
read_config (void)
{
  if (!config_hash)
    {
      char *filename;
      const char *home;
      const char *envvar;

      config_hash = g_hash_table_new_full (g_str_hash, g_str_equal,
                       (GDestroyNotify)g_free,
                       (GDestroyNotify)g_free);
      filename = g_build_filename (pango_get_sysconf_subdirectory (),
                   “pangorc”,
                   NULL);
      read_config_file (filename, FALSE);
      g_free (filename);

      home = g_get_home_dir ();
      if (home && *home)
    {
      filename = g_build_filename (home, “.pangorc”, NULL);
      read_config_file (filename, FALSE);
      g_free (filename);
    }

      envvar = g_getenv (“PANGO_RC_FILE”);
      if (envvar)
    read_config_file (envvar, TRUE);
    }
}
   
Pango reads the configuration from three different places. From the /etc/pango folder,
user’s home folder and from the environment variable PANGO_RC_FILE.

If you like to know how ChromeOS security is implemented, you can read this
blog (https://hiddencodes.wordpress.com/2011/08/06/chrome-netbook-security/)

Most of the folders are user specific and is mapped when the user logged in.The problem with this code is, library part of X11 reads a configuration file from the user’s home folder that is shared by all users who use that particular Netbook.

The attack has to follow the particular process:
1. User creates a shared library module under /home/chronos/maliciousmodule/malware.so
2. Creates a /home/chronos/.pangorc with this content.
    #
     # pangorc file for uninstalled operation. If pango-viewer is run with
     # this file in the current directory it will set it as PANGO_RC_FILE
     #

     [Pango]
     ModuleFiles = ./maliciousmodule

Now, this malware.so will be loaded in all the X11 process. You can sniff/manipulate
other users data now.

Cr-48 resets the data during reboot if it finds the particular folder is modified. The problem is, Cr-48 does not do that for the /home/chronos folder.

So the fix is, disable the processing of configuration files in the home folder and in PANGO_RC_FILE.

Advertisements
This entry was posted in Chrome, chrome OS, Google and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s