{"id":40329,"date":"2023-04-12T21:31:33","date_gmt":"2023-04-12T17:31:33","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/171829\/ZSL-2023-5770.txt"},"modified":"2023-04-16T15:08:25","modified_gmt":"2023-04-16T10:38:25","slug":"google-chrome-browser-111-0-5563-64-axplatformnodecocoa-denial-of-service","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/google-chrome-browser-111-0-5563-64-axplatformnodecocoa-denial-of-service\/","title":{"rendered":"Google Chrome Browser 111.0.5563.64 AXPlatformNodeCocoa Denial Of Service"},"content":{"rendered":"

Google Chrome Browser 111.0.5563.64 AXPlatformNodeCocoa Fatal OOM\/Crash (macOS)<\/p>\n

Vendor: Google LLC
\nProduct web page: https:\/\/www.google.com
\nAffected version: 111.0.5563.64 (Official Build) (x86_64)
\n110.0.5481.100 (Official Build) (x86_64)
\n108.0.5359.124 (Official Build) (x86_64)
\n108.0.5359.98 (Official Build) (x86_64)
\nFixed version: 112.0.5615.49 (Official Build) (x86_64)<\/p>\n

Summary: Google Chrome browser is a free web browser used for
\naccessing the internet and running web-based applications. The
\nGoogle Chrome browser is based on the open source Chromium web
\nbrowser project. Google released Chrome in 2008 and issues several
\nupdates a year.<\/p>\n

Desc: Fatal OOM\/crash of Chrome browser while detaching\/attaching
\ntabs on macOS.<\/p>\n

Commit fix:<\/p>\n

“The original cl landed many months ago, but
\nchrome\/browser\/ui\/views\/frame\/browser_non_client_frame_view_mac.mm
\nis the only change that didn’t revert cleanly.”<\/p>\n

macOS a11y: Implement accessibilityHitTest for remote app shims (PWAs)<\/p>\n

Implements accessibility hit testing for RemoteCocoa so that Hover Text
\nand VoiceOver mouse mode can read the accessible objects under the
\nuser’s pointer. Cross-process plumbing was needed because RemoteCocoa
\nbridges to native controls in a separate app shim process and must
\nreport accessibility trees from the browser process via the
\nundocumented NSAccessibilityRemoteUIElement mechanism.<\/p>\n

This CL does the following:<\/p>\n

1. Unblocks remote accessibilityHitTest by calling setRemoteUIApp:YES
\nin the browser process. This enables the browser process to accept
\nredirected accessibilityHitTest calls to the object corresponding to
\nany NSAccessibilityRemoteUIElement returned by the original
\naccessibilityHitTest at the app shim process.<\/p>\n

2. (For Browser UI) Overrides NativeWidgetMacNSWindowTitledFrame’s
\naccessibilityHitTest to have a custom implementation with
\nNSAccessibilityRemoteUIElement support so that custom window
\ncontrols can be found. Additionally, adjusts the BrowserView bounds
\nso that AXPlatformNodeCocoa’s accessibilityHitTest (which doesn’t
\nsupport view targeting) can return controls in the web app frame
\ntoolbar.<\/p>\n

3. (For Web Content) Implements RenderWidgetHostViewCocoa’s
\naccessibilityHitTest for instances in the app shim to return a
\nNSAccessibilityRemoteUIElement corresponding to their counterparts
\nin the browser process so that web content objects can be found.<\/p>\n

Tested on: macOS 12.6.1 (Monterey)
\nmacOS 13.3.1 (Ventura)<\/p>\n

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
\n@zeroscience<\/p>\n

Advisory ID: ZSL-2023-5770
\nAdvisory URL: https:\/\/www.zeroscience.mk\/en\/vulnerabilities\/ZSL-2023-5770.php<\/p>\n

08.12.2022<\/p>\n

—<\/p>\n

UI PoC:
\n——-
\n1. Grab a tab and detach it.
\n2. Bring back the tab.
\n3. Do this 2-3 times attaching \/ re-attaching the tab.
\n4. Chrome will hang (100% CPU) \/ Out-of-Memory (OOM) for 7-8 minutes.
\n5. Process crashes entirely.<\/p>\n

Ref: Issue 1400682 (Ticket created: Dec 13, 2022)
\nRef: https:\/\/bugs.chromium.org\/p\/chromium\/issues\/detail?id=1400682
\nRef: https:\/\/chromium-review.googlesource.com\/c\/chromium\/src\/+\/3861171
\nRef: axtester.mm terminal PoC by xi.ch…@gmail.com (https:\/\/bugs.chromium.org\/u\/161486905)<\/p>\n

=============
\n\/\/
\n\/\/ Copyright (c) Microsoft Corporation. All rights reserved.
\n\/\/<\/p>\n

#include <ApplicationServices\/ApplicationServices.h><\/p>\n

#include <iostream>
\n#include <sstream>
\n#include <vector><\/p>\n

__BEGIN_DECLS
\n\/\/ NOLINTNEXTLINE
\nAXError _AXUIElementGetWindow(AXUIElementRef, CGWindowID *);
\n\/\/ NOLINTNEXTLINE
\nCFTypeID AXTextMarkerGetTypeID();
\n__END_DECLS<\/p>\n

std::ostream& bold_on(std::ostream& os)
\n{
\nif (isatty(STDOUT_FILENO))
\n{
\nreturn os << “\\e[1m”;
\n}
\nreturn os;
\n}<\/p>\n

std::ostream& bold_off(std::ostream& os)
\n{
\nif (isatty(STDOUT_FILENO))
\n{
\nreturn os << “\\e[0m”;
\n}
\nreturn os;
\n}<\/p>\n

std::string from_cfstr(CFTypeRef cf_ref)
\n{
\nif (cf_ref != nullptr && CFGetTypeID(cf_ref) == CFStringGetTypeID())
\n{
\nconst auto cf_str = static_cast<CFStringRef>(cf_ref);
\nconst auto max_length = static_cast<size_t>(CFStringGetMaximumSizeForEncoding(
\nCFStringGetLength(cf_str), kCFStringEncodingUTF8)) + 1;<\/p>\n

auto result = std::string(max_length, ‘\\0’);
\nif (CFStringGetCString(cf_str, result.data(), static_cast<CFIndex>(max_length), kCFStringEncodingUTF8))
\n{
\nif (const auto pos = result.find(‘\\0’); pos != std::string::npos)
\n{
\nresult.resize(pos);
\n}
\nreturn result;
\n}
\n}
\nreturn {};
\n}<\/p>\n

std::string ax_element_id(AXUIElementRef value)
\n{
\n\/\/ AX element cache – AX elements are backed by CFData
\n\/\/ (referring to ‘remote’ AX objects) and this data is
\n\/\/ ‘stable’ across ‘volatile’ instances of AXUIElement.
\n\/\/ ‘hash and equality’ of AX elements are based on this
\n\/\/ data and therefore, we can use AXUIElement objects as
\n\/\/ ‘keys’ in a dictionary with values, identifying these
\n\/\/ objects (uniquely).
\nconst static auto ax_elements = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
\n&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);<\/p>\n

auto ax_id = CFDictionaryGetValue(ax_elements, value);<\/p>\n

if (ax_id == nullptr)
\n{
\nif (const auto uuid = CFUUIDCreate(kCFAllocatorDefault))
\n{
\nif (const auto uuid_s = CFUUIDCreateString(kCFAllocatorDefault, uuid))
\n{
\nCFDictionarySetValue(ax_elements, value, uuid_s);<\/p>\n

CFRelease(uuid_s);
\n}
\nCFRelease(uuid);
\n}<\/p>\n

ax_id = CFDictionaryGetValue(ax_elements, value);
\n}<\/p>\n

return from_cfstr(ax_id);
\n}<\/p>\n

template <typename T>
\nT ax_attribute_value(AXUIElementRef e, CFStringRef name)
\n{
\nif (e != nullptr)
\n{
\nauto ref = T{};
\nif (AXUIElementCopyAttributeValue(e, name, (CFTypeRef *) &ref) == kAXErrorSuccess)
\n{
\nreturn ref;
\n}
\n}
\nreturn nullptr;
\n}<\/p>\n

\/\/ NOLINTNEXTLINE
\nvoid ax_traverse(AXUIElementRef elem, uint32_t depth)
\n{
\nconst auto max_depth = 10;
\nif (depth > max_depth)
\n{
\nreturn;
\n}<\/p>\n

const auto indent = [&]()
\n{
\nfor (auto x = 0; x < depth; x++)
\n{
\nstd::cout << ” “;
\n}
\n};<\/p>\n

auto wid = CGWindowID{};
\nif (_AXUIElementGetWindow(elem, &wid) != kAXErrorSuccess)
\n{
\nwid = 0;
\n}<\/p>\n

indent();
\nconst auto role = ax_attribute_value<CFTypeRef>(elem, kAXRoleAttribute);<\/p>\n

std::cout << bold_on << “[*** DEPTH: ” << depth << “, ROLE: ” << from_cfstr(role) <<
\n“, ID: ” << ax_element_id(elem) << “, WINDOW: ” << wid << ” ***]” << bold_off <<
\nstd::endl;<\/p>\n

if (const auto children = ax_attribute_value<CFArrayRef>(elem, kAXChildrenAttribute))
\n{
\nfor (CFIndex idx = 0; idx < CFArrayGetCount(children); idx++)
\n{
\nconst auto element = static_cast<AXUIElementRef>(CFArrayGetValueAtIndex(children, idx));
\nax_traverse(element, depth + 1);
\n}
\nCFRelease(children);
\n}
\n}<\/p>\n

int main(int argc, char* const argv[])
\n{
\nauto pid = 0;<\/p>\n

if (argc > 1)
\n{
\nif (!AXIsProcessTrusted())
\n{
\nstd::cerr << “Please ‘AX approve’ Terminal in System Preferences” << std::endl;
\nexit(1); \/\/ NOLINT
\n}
\n\/\/ NOLINTNEXTLINE
\npid = std::stoi(argv[1]);
\n}
\nelse
\n{
\nstd::cerr << “usage: axtester <pid>” << std::endl;
\nexit(1); \/\/ NOLINT
\n}<\/p>\n

if (const auto app = AXUIElementCreateApplication(pid))
\n{
\nauto observer = AXObserverRef{};
\nauto ret = AXObserverCreate(pid, [](auto \/*unused*\/, AXUIElementRef \/*unused*\/, CFStringRef name, auto ctx)
\n{
\nauto myapp = (__AXUIElement*)(ctx);
\nauto hint = CFStringGetCStringPtr(name,kCFStringEncodingUTF8);
\nstd::cout << “Hint: ” << hint << std::endl;
\nax_traverse(myapp, 0);
\n}, &observer);<\/p>\n

if (kAXErrorSuccess != ret)
\n{
\nstd::cerr << “Fail to create observer” << std::endl;
\nreturn -1;
\n}<\/p>\n

std::cout << “title:” << AXObserverAddNotification(observer, app, kAXTitleChangedNotification, (void*)app) << std::endl;
\nstd::cout << “focus_window:” << AXObserverAddNotification(observer, app, kAXFocusedWindowChangedNotification, (void*)app) << std::endl;
\nstd::cout << “focus_element:” << AXObserverAddNotification(observer, app, kAXFocusedUIElementChangedNotification, (void*)app) << std::endl;
\nstd::cout << “move:” << AXObserverAddNotification(observer, app, kAXWindowMovedNotification, (void*)app) << std::endl;
\nstd::cout << “resize:” << AXObserverAddNotification(observer, app, kAXWindowResizedNotification, (void*)app) << std::endl;
\nstd::cout << “deminiaturized:” << AXObserverAddNotification(observer, app, kAXWindowDeminiaturizedNotification, (void*)app) << std::endl;
\nstd::cout << “miniaturize:” << AXObserverAddNotification(observer, app, kAXWindowMiniaturizedNotification, (void*)app) << std::endl;
\nCFRunLoopAddSource(CFRunLoopGetCurrent(), AXObserverGetRunLoopSource(observer), kCFRunLoopDefaultMode);
\nCFRunLoopRun();
\n}<\/p>\n

return 0;
\n}<\/p>\n

–codeaibot explains–<\/p>\n

This is a C++ program that uses the Accessibility API (AX) provided
\nby macOS to traverse the user interface of a running application and
\nprint out information about the accessibility elements that it finds.<\/p>\n

The program takes a single argument, which is the process ID (PID) of
\nthe application to examine. If no argument is provided, the program
\ndisplays a usage message and exits.<\/p>\n

The main() function first checks if the Terminal app has been granted
\naccessibility privileges by calling the AXIsProcessTrusted() function.
\nIf it hasn’t, the program displays an error message and exits.<\/p>\n

If the Terminal app has been granted accessibility privileges, the program
\ncreates an AXUIElementRef object for the application using the AXUIElementCreateApplication()
\nfunction, passing in the PID as an argument.<\/p>\n

The ax_traverse() function is then called with the root accessibility
\nelement of the application as an argument. This function recursively
\ntraverses the accessibility tree of the application, printing out
\ninformation about each element it encounters.<\/p>\n

The program also defines several helper functions for working with Core
\nFoundation types (from_cfstr(), ax_element_id(), and ax_attribute_value()),
\nas well as some functions for printing formatted output to the console
\n(bold_on() and bold_off()).<\/p>\n

— \/ —<\/p>\n

As this issue is not a security issue nor results in security consequences,
\nthis report is not eligible for a VRP reward.<\/p>\n

++
\nThank you Amy!
\n—<\/p>\n","protected":false},"excerpt":{"rendered":"

Google Chrome Browser 111.0.5563.64 AXPlatformNodeCocoa Fatal OOM\/Crash (macOS) Vendor: Google LLC Product web page: https:\/\/www.google.com Affected version: 111.0.5563.64 (Official Build) (x86_64) 110.0.5481.100 (Official Build) (x86_64) 108.0.5359.124 (Official Build) (x86_64) 108.0.5359.98 (Official Build) (x86_64) Fixed version: 112.0.5615.49 (Official Build) (x86_64) Summary: Google Chrome browser is a free web browser used for accessing the internet and running …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-40329","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=40329"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40329\/revisions"}],"predecessor-version":[{"id":40410,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/40329\/revisions\/40410"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=40329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=40329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=40329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}