Researcher bags two-for-one deal on Linux bugs while probing GNOME component

Researchers discovered a high-severity distant codification execution (RCE) vulnerability successful an inherent constituent of GNOME-based Linux distros, perchance impacting a immense number of users.

Tracked arsenic CVE-2023-43641, exploiting nan vulnerability successful nan comparatively mini libcue room takes advantage of nan tracker-miners exertion to facilitate a one-click RCE attack.

The rumor is thought to impact each GNOME-based distros, including RHEL, SUSE, and Debian, but has only been proven to activity connected nan latest versions of Ubuntu and Fedora truthful far.

A personification conscionable has to download a record and person it stored successful a commonly scanned directory, specified arsenic nan downloads, music, aliases videos folders, and nan attacker tin execute RCE connected their machine.

The libcue room is simply a comparatively mini 1 that's utilized to parse cue sheets – .cue files – which shop nan metadata that defines nan layout of euphony connected a CD. Given that it's often utilized alongside nan FLAC audio format, unfastened root audio players for illustration Audacious are limited connected nan library.

More importantly, different exertion that uses libcue is tracker-miners, which is included successful GNOME-based Linux distros and is responsible for indexing files successful nan user's directory truthful they look successful hunt results.

The tracker-miners exertion initializes automatically erstwhile a record is either added aliases modified successful a subdirectory of nan location directory. This intends nan utilization tin beryllium executed arsenic soon arsenic nan personification downloads a maliciously crafted .cue file, since tracker-miners uses libcue to walk nan cue sheets file.

"To make a agelong communicative short, that intends that inadvertently clicking a malicious nexus is each it takes for an attacker to utilization CVE-2023-43641 and get codification execution connected your computer," said Kevin Backhouse, information interrogator astatine GitHub Security Lab team.

Other files are besides supported by tracker-miners – it has scanners for HTML, JPEG, and PDF files excessively – but nan researcher's impervious of conception (PoC) codification was constricted to utilizing cue expanse files.

Exploiting libcue

Backhouse has only created moving exploits for nan astir caller versions of Ubuntu and Fedora, 23.04 and 38 respectively, but believes immoderate GNOME-based distro is "potentially exploitable".

The afloat PoCs person not been published yet to connection users clip to instal nan patch. Backhouse said nan exploits already developed activity "very reliably."

The bug itself is categorized arsenic a representation corruption flaw and has been fixed a provisional severity standing of 8.8 by GitHub. The CVSS people is still being determined.

An rumor pinch nan measurement successful which nan INDEX syntax of a cue expanse is handled allows a antagonistic scale to beryllium constructed because nan atoi method doesn't cheque for integer overflow.

The scanner's track_set_index usability doesn't decently cheque if nan scale is simply a antagonistic integer, and if it is negative, past an out of bounds constitute exploit becomes possible.

voidtrack_set_index { if (i > MAXINDEX) { fprintf(stderr, "too galore indexes\n"); return; } track->index[i] = ind; }

Due to nan consistency of each distro's heap layout, an attacker could feasibly compile a zip archive containing individual files to utilization nan aforesaid vulnerability successful arsenic galore distros arsenic they for illustration to maximize nan imaginable for success.

If these files were each unarchived, only nan 1 that matches nan user's distro would beryllium needed to propulsion disconnected nan attack.

• Cisco warns of captious flaw successful Emergency Responder code
• IT networks nether onslaught via captious Confluence zero-day. Patch now
• Trio of TorchServe flaws intends PyTorch users request an urgent upgrade
• Arm patches GPU driver bug exploited by spyware to snoop connected targets

The tracker-extract process of tracker-miners makes nan representation layout of each distro easier to foretell because a caller process is started each clip tracker-miners starts, alternatively than contending pinch a process that's been moving for hours.

A caller thread is besides started by tracker-extract each time. Backhouse said nan heap layout successful nan thread's malloc arena "is very consistent" but varies betwixt distros, meaning nan multi-file zip archive would beryllium nan astir effective attack for attackers.

The prize bug

Backhouse encountered an rumor erstwhile processing nan PoC utilization for nan vulnerability because nan tracker-extract constituent of tracker-miners has a seccomp sandbox that prevents this benignant of utilization from running.

After not realizing that he needed a sandbox escape, Backhouse tried a different method to utilization it, focusing connected avoiding nan usability that antecedently threw nan error, and inadvertently discovered a sandbox flight that was antecedently chartless to GNOME's developers.

The sandbox flight has already been fixed, and Backhouse plans to people nan original PoC pinch 1 statement changed to get it to activity without nan sandbox flight erstwhile capable clip has passed to let users to afloat patch their systems. ®