Chrome automatically saves files – and some Linux distributions process the downloaded files immediately with extremely insecure code from Gstreamer. The discoverer of the gap means that such serious weaknesses do not currently occur in Windows.
Security gaps in Gstreamer’s code can have a serious impact on some Linux desktop systems. This is reported by IT security expert Chris Evans, who is currently working for Tesla. A combination of Chrome browser and Gnome tool tracker behaviors will allow Gstreamer to be attacked directly from within the browser.
Files are automatically downloaded
Chrome saves downloaded files directly in the downloads folder without asking the user. All files stored there are automatically captured by tracker. Tracker belongs to Gnome and is a tool for locating local files. It extracts metadata for this and uses the multimedi library Gstreamer. Gstreamer, in turn, contains a large number of decoders for audio and video formats.
The gap that Evans uses to demonstrate the problem is in a codec for a format using the VMware program for screen captures. This format can be embedded in AVI files. The code in the codec calculates the memory space for the image by height, width and color depth, but does not check whether the result is also in an integer – a typical integer overflow. This in turn results in a buffer overflow on the heap.
The sample file provided by Evans only leads to a crash. Writing an exploit would be relatively expensive, since Fedora uses ASLR (Address Space Layout Randomization), but Evans is sure that an exploit is feasible.
Two decoders for NES sound files
Regardless of the specific gap, however, the problem is likely to be much greater. Recently, Evans had demonstrated a vulnerability in the parser for NSF files (NES Sound Format). This applies only to older versions of Gstreamer, but these are used under the Ubuntu 12.04 still supported. NSF files contains audio tracks for the Nintendo Entertainment System. Evans simply recommends deleting the NSF decoder. This has practically no effect, because Gstreamer can still play NSF files. Because Gstreamer contains two codecs for NSF files.
Gstreamer contains countless codecs for almost all audio and video formats that ever existed. Many of them use other libraries, which are often hardly developed, or at all. The Gstreamer project is very aware of the quality of some of these codecs. The codecs are divided into different categories and bundled into corresponding plugin packages: Base, good, bad and ugly (base, good, bad and ugly). Both of Evan’s discovered vulnerabilities are found in plugins called Gstreamer “bad”. However, regardless of their quality, all installed codecs from programs using Gstreamer are usually automatically selected when there is a corresponding file.
Evans makes various suggestions on how to limit the problem. Chrome’s behavior is the automatic saving of download files from the series, other browsers usually ask the user beforehand if he wants to save a download. However, users can change this setting manually. According to Evans, there is a sandbox for tracker functionality. As a workaround, users can exclude Tracker’s Downloads folder.
Evans finished his blog post with a call to the Linux desktop developers to take care more about security. It is questionable that a standard desktop configuration under Linux makes it so easy to find such a serious memory corruption gap. “This is not the kind of situation that occurs under a current Windows 10 standard installation.”