Skip to content

b1ack0wl/linux_mint_poc

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
metasploit_module
 
 
LICENSE
 
 
README.md
 
 
yelp.patch
 
 
Linux Mint 18.3-19.1 'yelp' command injection bug Root cause From PoC to Shell Mitigations Overview Instructions for patching Patching yelp Removing yelp and its associated URI handlers

README.md

Linux Mint 18.3-19.1 'yelp' command injection bug

Root cause

The URI handlers help://, ghelp://, and man:// are defined in the file /usr/share/applications/yelp.desktop which will execute /usr/local/bin/yelp via Exec=yelp %u whenever one of those URI handlers is invoked.

The file /usr/local/bin/yelp is a simple python script that parses the incoming URI handler request. This script first searches for the substrings "gnome-help" and "ubuntu-help", and if it doesn't find either one of those substrings then it'll execute /usr/local/bin/yelp without wrapping the argument in quotes.

Contents of /usr/local/bin/yelp:

#!/usr/bin/python

import os
import sys

if (len(sys.argv) > 1):
    args = ' '.join(sys.argv[1:])
    if ('gnome-help' in args) and not os.path.exists('/usr/share/help/C/gnome-help'):
        os.system ("xdg-open http://www.linuxmint.com/documentation.php &")
    elif ('ubuntu-help' in args) and not os.path.exists('/usr/share/help/C/ubuntu-help'):
        os.system ("xdg-open http://www.linuxmint.com/documentation.php &")
    else:
        os.system ("/usr/bin/yelp %s" % args)  # uh oh
else:
    os.system ('/usr/bin/yelp')

From PoC to Shell

Exploitation took a little bit of creativity since Google Chrome URI encodes the space \x20 character, curly brackets {}, the plus + character, the backtick character `, and some others. Since ${IFS} wouldn't work it was discovered that using $IFS$() works just as well since the $() statement prevents the $IFS environment variable from concatenating with other ASCII characters and accidentally becoming $IFSaddedword or so.

Mitigations

Overview

The file yelp.patch modifies the vulnerable statement from os.system ("/usr/bin/yelp %s" % args) to os.system ("/usr/bin/yelp %s" % quote(args)) which leverages the quote() method from the shlex library (https://docs.python.org/3/library/shlex.html#shlex.quote).

Instructions for patching

Either patch yelp or remove it.

Patching yelp

  • Install patch: sudo apt install patch
  • Patch yelp script: sudo patch /usr/local/bin/yelp yelp.patch

Removing yelp and its associated URI handlers

  • Removing URI handlers: sudo rm /usr/share/applications/yelp.desktop
  • Removing yelp python script: sudo rm /usr/local/bin/yelp

[b1ack0wl]

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

53 stars

Watchers

2 watching

Forks

14 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages