czwartek, 26 maja 2022

Crashing GNOME shell

When I was waiting for the results of "Night Fuzzing Session" I tried to chill a bit searching for some other bugs. That's how I found one of them (CVE-2020-13160) described here and that's how in the end I landed in GNOME. ;) Details about it you will find below. Here we go...

This time we'll start here:


Environment I used this time was "similar" to the previous described on the blog:
- Ubuntu 20 as an OS/VM. Should be a good start.

This time (according to the writeup I decided to check) I also installed AnyDesk for Ubuntu. Below you'll find exact version(s).

I started AnyDesk to play a bit with it but after a while my desktop started freezing. I was wondering what's going on...

As I couldn't use GNOME any more at this stage I connected to VM using Putty to check some possible logs/dmesg, etc... This is what I found:

I decided to check more logs to understand what's going on here:


More:


Reading log files during this case was pretty interesting exercise... ;) Like always.

So:

Version I used is presented in one of the other log files (AFAIK this one was presented by AnyDesk):


At this stage it's probably good to mention I didn't ever started "yet" to play with the 'case described in the article I found' (mentioned above). ;)

So far - we are somewhere here:

- I created a 'new session' with a very long "A"-name

- I tried to connect to my local desktop.

After another restart (and putty connected as a backup console) I attached gdb to the gnome-shell and "connected" again. Here we go:

 


At this stage I continued (mostly) in gdb:


To get a bigger picture:


Let's go deeper...


Checking logs:

Here we have some more details:


I switched to pwndbg:


Checking the heap using vis command:

More output in the end:

Next in the logfiles I saw:

And:

Checking gnome-shell with checksec script:

Output from ldd:

And that's how I landed here:


My next step was to open gnome-shell in Ghidra to understand more about the target binary:

That's how I landed here:


After a while I found some more docs and that's how I found this page in one of them:


 

My next jump to the sources:



Reading more:

...and more sources of course:


...and I go back to Ghidra to understand more after all that docs. I landed here:

After I added libmutter-6.so.0 to Ghidra I was able to read more from the gdb's bt command, for example:

Next:

At this point I found that the bug was also found in the past. Also in Ubuntu but for previous version of gnome-shell:

More about it:

I was testing the default one available for Ubuntu 20 :

So: GNOME Shell 3.36.9.

Reading the comments we can see this hint:


Maybe you'll find it useful. ;) 

 

More bugs soon. Stay tuned... ;)



Cheers





Posted by at
Labels: , , , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)