8000 Complete PoC for libcue CVE-2023-43641 by kevinbackhouse · Pull Request #796 · github/securitylab · GitHub
[go: up one dir, main page]
Skip to content

Complete PoC for libcue CVE-2023-43641 #796

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 23, 2023
Merged

Complete PoC for libcue CVE-2023-43641 #796

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions SecurityExploits/libcue/track_set_index_CVE-2023-43641/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
mkcue
7 changes: 7 additions & 0 deletions SecurityExploits/libcue/track_set_index_CVE-2023-43641/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
all: mkcue

clean:
rm mkcue

mkcue: mkcue.cpp utils.cpp utils.h
g++ -Wall -Wextra mkcue.cpp utils.cpp -o mkcue
16 changes: 14 additions & 2 deletions SecurityExploits/libcue/track_set_index_CVE-2023-43641/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,17 @@
# CVE-2023-43641

This directory contains a simple PoC for libcue [CVE-2023-43641](https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj). Downloading [CVE-2023-43641-poc-simple.cue](CVE-2023-43641-poc-simple.cue) should trigger the bug on most GNOME systems, because [tracker-miners](https://gitlab.gnome.org/GNOME/tracker-miners) automatically scans files in `~/Downloads`. If the filename has a `.cue` extension, then tracker-miners uses [libcue](https://github.com/lipnitsk/libcue) to scan the file. The PoC triggers an out-of-bounds array access, which causes the tracker-extract process to crash.
This directory contains three PoCs for libcue [CVE-2023-43641](https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj).

We are delaying the release of the [full PoC](https://youtu.be/beOwspTnc1Y), which exploits the vulnerability to get code execution in tracker-extract.
The first PoC is [CVE-2023-43641-poc-simple.cue](CVE-2023-43641-poc-simple.cue). Downloading [CVE-2023-43641-poc-simple.cue](CVE-2023-43641-poc-simple.cue) should trigger the bug on most GNOME systems, because [tracker-miners](https://gitlab.gnome.org/GNOME/tracker-miners) automatically scans files in `~/Downloads`. If the filename has a `.cue` extension, then tracker-miners uses [libcue](https://github.com/lipnitsk/libcue) to scan the file. The PoC triggers an out-of-bounds array access, which causes the tracker-extract process to crash (on an unpatched system).

The second PoC is [lunar.cue](lunar.cue), which exploits the vulnerability to pop a calculator when downloaded on an unpatched Ubuntu 23.04. Here's a [video](https://youtu.be/beOwspTnc1Y) of this PoC.

The third PoC is [fedora38.cue](fedora38.cue), which pops a calculator when downloaded on an unpatched Fedora 38.

The second and third PoCs are both generated by [mkcue.cpp](mkcue.cpp), which you can build and run like this:

```bash
make
./mkcue Ubuntu23_04 > lunar.cue
./mkcue Fedora38 > fedora38.cue
```
44,691 changes: 44,691 additions & 0 deletions SecurityExploits/libcue/track_set_index_CVE-2023-43641/fedora38.cue
View file
Open in desktop

Large diffs are not rendered by default.

44,691 changes: 44,691 additions & 0 deletions SecurityExploits/libcue/track_set_index_CVE-2023-43641/lunar.cue
View file
Open in desktop

Large diffs are not rendered by default.

Loading
0