GNOME Bugzilla – Bug 784630
(CVE-2017-1000083) Evince command injection vulnerability in CBT handler
Last modified: 2017-07-17 14:51:17 UTC
From the folks at Project Zero: """ Hi, The comic book backend in evince 3.24.0 is vulnerable to a command injection bug that can be used to execute arbitrary commands when a cbt file is opened: cbt files are simple tar archives containing images. When a cbt file is processed, evince calls "tar -xOf $archive $filename" for every image file in the archive: // backend/comics/comics-document.c: 914 command_line = g_strdup_printf ("%s %s %s", comics_document->extract_command, quoted_archive, quoted_filename); While both the archive name and the filename are quoted to not be interpreted by the shell, the filename is completely attacker controlled an can start with "--" which leads to tar interpreting it as a command line flag. This can be exploited by creating a tar archive with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg" (Make sure evince is not sandboxed by apparmor before trying to reproduce the attached POC) fwilhelm@box $ tar -tf poc.cbt --checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg fwilhelm@box $ ls -la ~/covfefe.evince ls: cannot access covfefe.evince: No such file or directory fwilhelm@box $ evince poc.cbt fwilhelm@box $ ls -la ~/covfefe.evince -rw-r----- 1 fwilhelm eng 0 Jun 28 11:05 /home/fwilhelm/covfefe.evince An easy way to fix this would be to change the ComicBookDecompressCommand entry for tar to {"%s -xOf --" , "%s -tf -- %s" , NULL , FALSE, NO_OFFSET} Please credit Felix Wilhelm from the Google Security Team in all releases, patches and advisories related to this issue. Best, Felix """ And also, importantly: """ I've also realized that my patch suggestion does not work as intended due to the weird command line parsing of tar. Sorry about that. """
Note that this can presumably be triggered by the evince thumbnailer, which is not sandboxed. And that web browsers that allow untrusted websites to auto-downloading files without user interaction (Chrome, Epiphany) can trigger the thumbnailer to run. So this is web exposed.
Created attachment 355036 [details] [review] comics: Remove support for tar and tar-like commands When handling tar files, or using a command with tar-compatible syntax, to open comic-book archives, both the archive name (the name of the comics file) and the filename (the name of a page within the archive) are quoted to not be interpreted by the shell. But the filename is completely with the attacker's control and can start with "--" which leads to tar interpreting it as a command line flag. This can be exploited by creating a CBT file (a tar archive with the .cbt suffix) with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg" Discovered by Felix Wilhelm from the Google Security Team.
Created attachment 355038 [details] [review] comics: Remove support for tar and tar-like commands When handling tar files, or using a command with tar-compatible syntax, to open comic-book archives, both the archive name (the name of the comics file) and the filename (the name of a page within the archive) are quoted to not be interpreted by the shell. But the filename is completely with the attacker's control and can start with "--" which leads to tar interpreting it as a command line flag. This can be exploited by creating a CBT file (a tar archive with the .cbt suffix) with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg" CBT files are infinitly rare (CBZ is usually used for DRM-free commercial releases, CBR for those from more dubious provenance), so removing support is the easiest way to avoid the bug triggering. All this code was rewritten in the development release for GNOME 3.26 to not shell out to any command, closing off this particular attack vector. Discovered by Felix Wilhelm from the Google Security Team.
Review of attachment 355038 [details] [review]: Looks good. I'll use accepted-commit_after_freeze to refer to coordinated disclosure.
Created attachment 355062 [details] [review] comics: Remove support for tar and tar-like commands When handling tar files, or using a command with tar-compatible syntax, to open comic-book archives, both the archive name (the name of the comics file) and the filename (the name of a page within the archive) are quoted to not be interpreted by the shell. But the filename is completely with the attacker's control and can start with "--" which leads to tar interpreting it as a command line flag. This can be exploited by creating a CBT file (a tar archive with the .cbt suffix) with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg" CBT files are infinitely rare (CBZ is usually used for DRM-free commercial releases, CBR for those from more dubious provenance), so removing support is the easiest way to avoid the bug triggering. All this code was rewritten in the development release for GNOME 3.26 to not shell out to any command, closing off this particular attack vector. This also removes the ability to use libarchive's bsdtar-compatible binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two are already supported by unzip and 7zip respectively. libarchive's RAR support is limited, so unrar is a requirement anyway. Discovered by Felix Wilhelm from the Google Security Team.
On gnome-3-20 you'll also need to cherry-pick: 335c0536c137a8bcc886ca33c1aba6abaf32b99c and f932396d1c51646a1535eb28d7c8b1281e794a1a Patch above applies cleanly after that.
FTR: This hsa been assigned CVE-2017-1000083.
Embargo date is Thursday 13th July 2017, 12:00 UTC.
Created attachment 355498 [details] [review] Backport of the patch to 3.20.1
Created attachment 355499 [details] [review] Backport of the patch to 3.20.1
Created attachment 355500 [details] [review] Backport of the patch to 3.10.3
The bug is fixed in the gnome-3-20, gnome-3-22 and gnome-3-24 branches, for distributions to cherry pick, or backport to older versions.
There was a typo in configure.ac leading to a warning when installing the software (through a package or from source). It's innocuous though: https://bugzilla.gnome.org/show_bug.cgi?id=785026