Tuesday, September 20, 2011

Chome 14 addresses CVE-2011-2842 local mac-only issue

With the recent release of Chrome 14, Google addressed the following issue I reported to them:

[Mac only] [80680] Low CVE-2011-2842: Insecure lock file handling in the Mac installer. Credit to Aaron Sigel of vtty.com. (ref: http://googlechromereleases.blogspot.com/2011/09/stable-channel-update_16.html)

Details:

The affected script was "install.py" located in GoogleSoftwareUpdate.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/Resources
In this script, a temporary lock file was created using the following method:

  lockfilename = '/tmp/.keystone_install_lock'

  # Make sure that root and user can share the same lockfile
  oldmask = os.umask(0000)
  # os.O_EXLOCK is 32, but isn't defined on 10.4 (python2.3)
  lockfile = os.open(lockfilename, os.O_CREAT | os.O_RDWR | 32, 0666)

This appears to get executed on every Chrome update, offering attackers frequent opportunities to attack the statically named, insecurely created temporary file.  To exploit this issue, a local attacker would create a symbolic link from "/tmp/.keystone_install_lock" to a file they wanted to have created by the victim.  When created, the files will be created with permissions that allow reading and writing by all users of the system. There are a number of files that users can write in their home directories that control access to various resources.  Using this method to create such files could allow an attacker to then edit the content of those files and lead to local privilege escalation or information disclosure.