CVE-2023-44452, CVE-2023-51698: Linux Mint Xreader/MATE Atril CBT File Parsing Argument Injection Remote Code Execution Vulnerability

A Critical One-Click RCE/Command Injection Vulnerability Affecting Popular Linux Operating Systems with MATE, Cinnamon, and some Xfce desktop Environments.

Affected Operating Systems:

Linux Mint Kali Linux (Popular OS among Security professionals, researchers) Parrot OS (Popular OS among Security professionals, researchers) Ubuntu-Mate Xubuntu Fedora Cinnamon Fedora Mate Manjaro Mate Manjaro Cinnamon Ubuntu Kylin (Official Chinese Ubuntu) Kylin OS V10 ( OS said to be used in the Chinese Government Sectors )

And other MATE, Cinnamon, and some Xfce desktop Environments.

Affected Software Component: All versions including the latest versions of Atril Document Viewer (Default Doc reader for MATE environment, one of the popular doc readers) and Xreader Document Viewer (Default doc reader in Linux Mint)

Vulnerability Summary:

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of CBT files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user.

This vulnerability is due to a bad code segment in Atril and Xreader responsible for handling comic book documents (.cbr, .cbz, .cbt, .cb7). Comic book documents are just archives that contain images in it. The vulnerability here can be exploited using a maliciously crafted CBT document which is a TAR archive.

Root Cause - Vulnerable Code segment in both doc viewers (comics-document.c):

static const ComicBookDecompressCommand command_usage_def[] = {
        /* RARLABS unrar */
	{"%s p -c- -ierr --", "%s vb -c- -- %s", NULL             , FALSE, NO_OFFSET},

        /* GNA! unrar */
	{NULL               , "%s t %s"        , "%s -xf %s %s"   , FALSE, NO_OFFSET},

        /* unzip */
	{"%s -p -C --"      , "%s %s"          , NULL             , TRUE , OFFSET_ZIP},

        /* 7zip */
	{NULL               , "%s l -- %s"     , "%s x -y %s -o%s", FALSE, OFFSET_7Z},

        /* tar */
	{"%s -xOf"          , "%s -tf %s"      , NULL             , FALSE, NO_OFFSET},

	/* UNARCHIVER */
	{"unar -o -"	    , "%s %s"	       , NULL		  , FALSE, NO_OFFSET}
};

By looking at the above code, we can see that there are shell commands used for decompression. Look at the /* tar */ section, it actually calls the following shell command, "tar -xOf -tf ". This is to view/load each image inside the CBT document. This behavior can be exploited by using an option of tar program '--checkpoint-action' to execute arbitrary commands on the target by naming one of the images inside the CBT document to something like '--checkpoint-action=EXEC=bash -c "whoami>/tmp/who.txt";.jpg'.

This vulnerability was already found in Evince Document viewer (the default Doc reader of GNOME) back in 2017. Since Atril and Xreader are forks of Evince, this vulnerability was present in both Atril and Xreader. Atril's team fixed the vulnerability at that time by adding a piece of code that quits Atril's process if the CBT file with "--checkpoint-action=" in its name. The following was the patch (comics-document.c) (line - 983):

extract_argv (EvDocument *document, gint page)
{
	ComicsDocument *comics_document = COMICS_DOCUMENT (document);
	char **argv;
	char *command_line, *quoted_archive, *quoted_filename;
	GError *err = NULL;

	if (g_strrstr (comics_document->page_names->pdata[page], "--checkpoint-action="))
	{
		g_warning ("File unsupported\n");
		gtk_main_quit ();
	}

As you can see, it throws a "File Unsupported" message to the console and quits when it sees "--checkpoint-action=" in a page/filename. I noticed that this only works with an empty file or a really small image file, and if we provide a larger file with more bytes, the "gtk_main_quit ();" function fails, so it continues to run, thus executing the injected arbitrary command.

In the MATE desktop environment, many XFCE and lightweight desktop environments (including OS like Kali, Parrot, Xubuntu, Ubuntu Mate, Kylin, Fedora Mate, Manjaro Mate), this vulnerability can be exploited just by sending a link/URL because these Operating Systems/Environments has Atril and Atril has an additional component called atril-previewer that will trigger the exploit without even opening or clicking on the document. An attacker can craft a webpage that instantly downloads the crafted CBT file onto the target system when the target user visits the webpage and the latest Firefox browser nowadays downloads automatically by default without user confirmation, when the user navigates to his Downloads directory the payload will be executed, gives the attacker the shell.

In Linux Mint (Cinnamon Desktop Environment), the target user must open the document to trigger the payload because Linux Mint uses Xreader and Xreader doesn't have a previewer.

I have attached a fully working exploit along with a demo video in a zip archive (doctTar-inject_exploit.zip) with this submission.

In the demo video, the following is the scenario: Attacker Machine - Kali Linux Victim Machine - Kali Linux latest edition (2023.3) Victim visits the malicious URL/Link generated by my exploit script

Atril_0day_demo.2.mp4

Exploit Dependencies: poppler-utils Please install poppler-utils before running the exploit script on your Linux machine (Kali preferred). Installation: apt install poppler-utils.