Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Latest commit b103104 Jun 26, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
metasploit_module Updated module Jun 26, 2019
LICENSE Initial commit Jun 25, 2019 Updated README Jun 26, 2019
yelp.patch PoC, write-up, and patch Jun 26, 2019

Linux Mint 18.3-19.1 'yelp' command injection bug

Root cause

The URI handlers help://, ghelp://, and man:// are defined in the file /usr/share/applications/yelp.desktop which will execute /usr/local/bin/yelp via Exec=yelp %u whenever one of those URI handlers is invoked.

The file /usr/local/bin/yelp is a simple python script that parses the incoming URI handler request. This script first searches for the substrings "gnome-help" and "ubuntu-help", and if it doesn't find either one of those substrings then it'll execute /usr/local/bin/yelp without wrapping the argument in quotes.

Contents of /usr/local/bin/yelp:


import os
import sys

if (len(sys.argv) > 1):
    args = ' '.join(sys.argv[1:])
    if ('gnome-help' in args) and not os.path.exists('/usr/share/help/C/gnome-help'):
        os.system ("xdg-open &")
    elif ('ubuntu-help' in args) and not os.path.exists('/usr/share/help/C/ubuntu-help'):
        os.system ("xdg-open &")
        os.system ("/usr/bin/yelp %s" % args)  # uh oh
    os.system ('/usr/bin/yelp')

From PoC to Shell

Exploitation took a little bit of creativity since Google Chrome URI encodes the space \x20 character, curly brackets {}, the plus + character, the backtick character `, and some others. Since ${IFS} wouldn't work it was discovered that using $IFS$() works just as well since the $() statement prevents the $IFS environment variable from concatenating with other ASCII characters and accidentally becoming $IFSaddedword or so.



The file yelp.patch modifies the vulnerable statement from os.system ("/usr/bin/yelp %s" % args) to os.system ("/usr/bin/yelp %s" % quote(args)) which leverages the quote() method from the shlex library (

Instructions for patching

Either patch yelp or remove it.

Patching yelp

  • Install patch: sudo apt install patch
  • Patch yelp script: sudo patch /usr/local/bin/yelp yelp.patch

Removing yelp and its associated URI handlers

  • Removing URI handlers: sudo rm /usr/share/applications/yelp.desktop
  • Removing yelp python script: sudo rm /usr/local/bin/yelp


You can’t perform that action at this time.