Microsoft: How we unearthed a critical flaw in ChromeOS, and how Google fixed it

August 22, 2022 TH Author

ChromeOS is considered secure compared to legacy Windows and MacOS, but Microsoft recently discovered a nasty, remotely exploitable bug in ChromeOS’s audio server with a severity score of 9.8 out of 10.

ChromeOS is Google’s proprietary OS based on the open-source ChromiumOS, which itself is underpinned by Linux.

Microsoft security researcher Jonathan Bar Or found the bug in the ChromiumOS Audio Server (CRAS), a service that routes audio to peripherals such as USB speakers and Bluetooth headsets.

Or found a local memory corruption issue that could be remotely triggered by manipulating audio metadata, either in the browser or via Bluetooth.

“Attackers could have lured users into meeting these conditions, such as by simply playing a new song in a browser or from a paired Bluetooth device, or leveraged adversary-in-the-middle (AiTM) capabilities to exploit the vulnerability remotely,” he explains in a blogpost.

Microsoft reported the issue to Google in April. Google assigned the bug CVE-2022-2587 and released a patch in mid-June, but was already working fixes within a week of it being reported. Google described it as a high-severity flaw due to an out-of-bounds write in CRAS.

Or scoped out ChromeOS in search of similar issues to the D-Bus bugs he had turned up when analyzing Linux earlier this year.

ChromeOS, being based on Linux, could also be vulnerable to similar bugs. But, he notes, ChromeOS typically requires an attacker to chain together multiple vulnerabilities due to Google’s proprietary hardening measures. Hence, there are fewer discovered flaws than in Windows or MacOS.

The audio server bug was a ChromeOS-specific memory-corruption vulnerability, which Or found after inspecting the handling function called SetPlayerIdentity, which called the C library function “strcpy“.

“To the experienced security engineer, the mention of the strcpy function immediately raises red flags,” notes Or.

“The strcpy function is known to cause various memory corruption vulnerabilities since it doesn’t perform any bounds check and is therefore considered unsafe. As there are no bounds checks on the user-supplied identity argument before invoking strcpy (besides the default message length limitations for D-Bus messages), we were confident we could trigger a heap-based buffer overflow, therefore triggering a memory corruption vulnerability.”

Heap-based buffer overflows can lead to arbitrary code execution, but to make the attack more dangerous, he needed a way to trigger it remotely, which he found could be done changing audio metadata. This can be achieved through the browser when a new song is played, or via Bluetooth when playing a new song from a paired Bluetooth device. The actual vulnerable function is cras_bt_player_update_identity.

Or commended Google for its speed in fixing the issue after it was reported. He notes that while it not easy to exploit, its impact on a ChromeOS device — which could include old Macs and PCs thanks to Google’s ChromeOS Flex — warranted such a response from Google.

“We were impressed with the speed of the fix and the effectiveness of the overall process. Within less than a week, the code was committed and, after several merges, made generally available to users. We thank the Google team and the Chromium community for their efforts in addressing the issue,” writes Or.