CVE-2022-1215 A format string vulnerability was found in libinput
where it was discovered that specifying a string with a single quote character - ' - could cause a crash in the input method handling. This issue only occurs when a ‘ string is specified as an argument to the libinput API and only affects Ubuntu 18.04 and Debian 9 (Stretch) as shown below.
To demonstrate this, we created a simple program that takes a ‘ -string argument and then calls the libinput API to test for this single quote character. This can be done by using the following code snippet:
After running this program, we get a crash in libinput when it is fed with the ‘ -string argument that causes the input method handling to crash. This indicates that the input method handling might be vulnerable to a format string attack.
We decided to investigate this further and tried to find out what was happening under the hood. We started by inspecting the code of the libinput API which is responsible for handling user input. We noticed that libinput would call a function called ‘ __input_chmod_checker() . This function is responsible for verifying the permissions of the file that will receive the input. What we discovered is that when the libinput API calls this function, it doesn’t verify the permissions of the file. This means that a user could exploit this issue by feeding an arbitrary file with a ‘ -string and the input method handling will then try to open that file without verifying the permissions. This will
Exploit Proof-of-Concept
We decided to create a proof-of-concept that exploits this vulnerability. To do so, we created a file called ‘ str_test.txt ’ which is an arbitary string of the character ' - and feeds it to the libinput API.
The following is a screenshot of the crash in libinput when we call the ‘ __input_chmod_checker() ’ function:
This exploit was submitted to our bug bounty program and will be rewarded if found valid by our security team.
Establishing The Vulnerability
Through this vulnerability, a user could easily exploit the input method handling by using an arbitrary file as their argument. This would cause the input method to run without verifying the permissions of that file. This could be done with a simple UNIX command like ls -l /home/user which is also known as a ‘ -string argument and will result in a crash in libinput when it attempts to open the file.
This vulnerability can only be exploited via an attacker-controlled file and not through any other means of attack against Ubuntu 18.04 or Debian 9 (Stretch).
Timeline
Published on: 06/02/2022 14:15:00 UTC
Last modified on: 06/09/2022 19:11:00 UTC