8000 Merge pull request #796 from kevinbackhouse/CVE-2023-43641-poc-complete · github/securitylab@f95c3bb · GitHub
[go: up one dir, main page]
Skip to content

Commit f95c3bb

Browse files
kevinbackhousekevinbackhouse
authored
Merge pull request #796 from kevinbackhouse/CVE-2023-43641-poc-complete
Complete PoC for libcue CVE-2023-43641
2 parents 81327b0 + 0a8ede6 commit f95c3bb

File tree

8 files changed

+90123
-2
lines changed

8 files changed

+90123
-2
lines changed

SecurityExploits/libcue/track_set_index_CVE-2023-43641/.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
mkcue

SecurityExploits/libcue/track_set_index_CVE-2023-43641/Makefile

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
all: mkcue
2+
3+
clean:
4+
rm mkcue
5+
6+
mkcue: mkcue.cpp utils.cpp utils.h
7+
g++ -Wall -Wextra mkcue.cpp utils.cpp -o mkcue

SecurityExploits/libcue/track_set_index_CVE-2023-43641/README.md

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,17 @@
11
# CVE-2023-43641
22

3-
This directory contains a simple PoC for libcue [CVE-2023-43641](https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj). Downloading [CVE-2023-43641-poc-simple.cue](CVE-2023-43641-poc-simple.cue) should trigger the bug on most GNOME systems, because [tracker-miners](https://gitlab.gnome.org/GNOME/tracker-miners) automatically scans files in `~/Downloads`. If the filename has a `.cue` extension, then tracker-miners uses [libcue](https://github.com/lipnitsk/libcue) to scan the file. The PoC triggers an out-of-bounds array access, which causes the tracker-extract process to crash.
3+
This directory contains three PoCs for libcue [CVE-2023-43641](https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj).
44

5-
We are delaying the release of the [full PoC](https://youtu.be/beOwspTnc1Y), which exploits the vulnerability to get code execution in tracker-extract.
5+
The first PoC is [CVE-2023-43641-poc-simple.cue](CVE-2023-43641-poc-simple.cue). Downloading [CVE-2023-43641-poc-simple.cue](CVE-2023-43641-poc-simple.cue) should trigger the bug on most GNOME systems, because [tracker-miners](https://gitlab.gnome.org/GNOME/tracker-miners) automatically scans files in `~/Downloads`. If the filename has a `.cue` extension, then tracker-miners uses [libcue](https://github.com/lipnitsk/libcue) to scan the file. The PoC triggers an out-of-bounds array access, which causes the tracker-extract process to crash (on an unpatched system).
6+
7+
The second PoC is [lunar.cue](lunar.cue), which exploits the vulnerability to pop a calculator when downloaded on an unpatched Ubuntu 23.04. Here's a [video](https://youtu.be/beOwspTnc1Y) of this PoC.
8+
9+
The third PoC is [fedora38.cue](fedora38.cue), which pops a calculator when downloaded on an unpatched Fedora 38.
10+
11+
The second and third PoCs are both generated by [mkcue.cpp](mkcue.cpp), which you can build and run like this:
12+
13+
```bash
14+
make
15+
./mkcue Ubuntu23_04 > lunar.cue
16+
./mkcue Fedora38 > fedora38.cue
17+
```

SecurityExploits/libcue/track_set_index_CVE-2023-43641/fedora38.cue

Lines changed: 44691 additions & 0 deletions
Large diffs are not rendered by default.

SecurityExploits/libcue/track_set_index_CVE-2023-43641/lunar.cue

Lines changed: 44691 additions & 0 deletions
Large diffs are not rendered by default.

0 commit comments

Comments
 (0)
0