Chromium: Information disclosure via "memory_instrumentation::mojom::Coordinator" interface in "resource_coordinator" service(CVE-2018-6080)

2018-03-15T00:00:00
ID SSV:97177
Type seebug
Reporter Root
Modified 2018-03-15T00:00:00

Description

VULNERABILITY DETAILS

The "memory_instrumentation::mojom::Coordinator" mojo interface is exposed by the "resource_coordinator" service, running under the browser process. The interface requires the "app" capability (https://cs.chromium.org/chromium/src/services/resource_coordinator/manifest.json?l=8), which is provided to the "content_renderer" service (therefore allowing it to bind to the remote interface).

The "Coordinator" interface exposes several commands, including the ability to register new client processes from which "memory dumps" can be requested, and producing dumps from the currently registered clients. The "memory dumps" do not contain the contents of the process's memory, but rather the metadata describing the currently mapped memory regions. On Linux this information is acquired using "/proc/<pid>/smaps".

No access control checks are done to ensure that unprivileged processes (such as the renderer) cannot acquire memory dumps from privileged processes (such as the browser).

As a result, the renderer process can acquire the memory maps for all other registered processes (such as the "Browser", "GPU" and "Utility" processes), including the addresses of each mapped region, its protection masks, and the name of the backing file (if any). This allows compromised renderers to bypass ASLR when attacking any of these other processes. Furthermore, this might leak some information in case the name of a mapped file in the aforementioned processes contains data which should not be accessible to the renderer.

I believe the above interface should be split in two; an "Agent Registry" (allowing clients to register as memory dump sources) and a "Coordinator" (allowing clients to acquire memory dumps from the aforementioned sources). The former interface should be made accessible to all services with the "app" capability, while the latter would only be exposed to privileged callers (via some other capability). This approach is already utilised by the "tracing::mojom::AgentRegistry" and "tracing::mojom::Coordinator" interfaces exposed by the "resource_coordinator" service.

VERSION

  • Chromium 64.0.3282.0 64-bit
  • Revision dd12859a9c856c6919cedf6c35d13b8b22af94e1-refs/heads/master@{#520743}
  • OS Linux 4.4.0-97-generic

REPRODUCTION CASE

I'm attaching a small patch that adds code to the renderer process which binds to the aforementioned interface and requests a global memory dump from the Coordinator. Applying the patch and navigating to any page should result in the renderer process outputting the memory maps for all processes.