A reminiscence corruption vulnerability within the open-source libcue library can let attackers execute arbitrary code on Linux programs working the GNOME desktop surroundings.
libcue, a library designed for parsing cue sheet information, is built-in into the Tracker Miners file metadata indexer, which is included by default within the newest GNOME variations.
Cue sheets (or CUE information) are plain textual content information containing the structure of audio tracks on a CD, corresponding to size, title of tune, and musician, and are additionally sometimes paired with the FLAC audio file format.
GNOME is a extensively used desktop surroundings throughout numerous Linux distributions corresponding to Debian, Ubuntu, Fedora, Purple Hat Enterprise, and SUSE Linux Enterprise.
Attackers can efficiently exploit the flaw in query (CVE-2023-43641) to execute malicious code by benefiting from Tracker Miners mechanically indexing all downloaded information to replace the search index on GNOME Linux gadgets.
“Because of the manner that it is utilized by tracker-miners, this vulnerability in libcue grew to become a 1-click RCE. In case you use GNOME, please replace at present,” mentioned GitHub safety researcher Kevin Backhouse, who discovered the bug.
With a view to exploit this vulnerability, the focused person should obtain a maliciously crafted .CUE file, which is then saved within the ~/Downloads folder.
The reminiscence corruption flaw is triggered when the Tracker Miners metadata indexer parses the saved file mechanically by way of the tracker-extract course of.
“To make an extended story brief, that implies that inadvertently clicking a malicious hyperlink is all it takes for an attacker to take advantage of CVE-2023-43641 and get code execution in your pc,” Backhouse mentioned.
Backhouse demoed a proof-of-concept exploit and shared a video by way of Twitter earlier at present. Nonetheless, the discharge of the PoC shall be postponed to offer time for all GNOME customers to replace and safe their programs.
Whereas the PoC exploit must be tweaked to work correctly for every Linux distro, the researcher mentioned that he had already created exploits focusing on the Ubuntu 23.04 and Fedora 38 platforms that work “very reliably.”
“In my testing, I’ve discovered that the PoC works very reliably when run on the right distribution (and can set off a SIGSEGV when run on the improper distribution),” Backhouse mentioned.
“I’ve not created PoCs for another distributions, however I consider that each one distributions that run GNOME are probably exploitable.”
Whereas profitable exploitation of CVE-2023-43641 requires tricking a possible sufferer into downloading a .cue file, admins are suggested to patch programs and mitigate the dangers posed by this safety flaw, because it offers code execution on gadgets working the most recent releases of extensively used Linux distros, together with Debian, Fedora, and Ubuntu.
Backhouse has discovered different extreme Linux safety flaws lately, together with a privilege escalation bug within the GNOME Show Supervisor (gdm) and an authentication bypass within the polkit auth system service put in by default on many trendy Linux platforms.
In associated information, proof-of-concept exploits have already surfaced for the Looney Tunables high-severity flaw in GNU C Library’s dynamic loader, tracked as CVE-2023-4911, permitting native attackers to achieve root privileges on main Linux platforms.