CR-ATTACKER: Exploiting Crash-Reporting Systems Using Timing Gap and Unrestricted File-Based Workflow

Software vendors widely adopt crash-reporting systems to automate the collection of crash reports, enabling efficient diagnosis and management of software failures. However, these reports often contain detailed memory snapshots of crashed processes, which may include sensitive user data (e.g., credentials and cryptographic keys). Ensuring the security of crash-reporting systems is, therefore, critical to prevent information leakage and potential exploitation. This paper analyzes the security of common crash-reporting system architectures for Linux and identifies two novel attack vectors: 1) a timing gap vulnerability during partial privilege de-escalation and 2) a file-based workflow exploitation between crash-reporting system components. By leveraging these attack vectors, we demonstrate that unprivileged attackers can extract arbitrary memory contents from other processes or manipulate the behavior of crash-reporting systems, leading to information leakage and system compromise. To mitigate these threats, we propose practical defense mechanisms that effectively neutralize both attack vectors, thereby enhancing the overall security of crash-reporting systems. We validate our findings through real-world evaluations on widely used open-source crash-reporting systems, which resulted in the discovery of four new CVEs related to ASLR bypass, arbitrary code execution, and denial-of-service (DoS) attacks. These findings highlight the urgent need for strengthened security measures in modern crash-reporting systems.