Researcher bags two-for-one deal on Linux bugs while probing GNOME component

Researchers discovered a high-severity remote code execution (RCE) vulnerability in an inherent component of GNOME-based Linux distros, potentially impacting a huge number of users.

Tracked as CVE-2023-43641, exploiting the vulnerability in the relatively small libcue library takes advantage of the tracker-miners application to facilitate a one-click RCE attack.

The issue is thought to affect all GNOME-based distros, including RHEL, SUSE, and Debian, but has only been proven to work on the latest versions of Ubuntu and Fedora so far.

A user just has to download a file and have it stored in a commonly scanned directory, such as the downloads, music, or videos folders, and the attacker can achieve RCE on their machine.

The libcue library is a relatively small one that's used to parse cue sheets – .cue files – which store the metadata that defines the layout of music on a CD. Given that it's often used alongside the FLAC audio format, open source audio players like Audacious are dependent on the library.

More importantly, another application that uses libcue is tracker-miners, which is included in GNOME-based Linux distros and is responsible for indexing files in the user's directory so they appear in search results.

The tracker-miners application initializes automatically when a file is either added or modified in a subdirectory of the home directory. This means the exploit can be executed as soon as the user downloads a maliciously crafted .cue file, since tracker-miners uses libcue to pass the cue sheets file.

"To make a long story short, that means that inadvertently clicking a malicious link is all it takes for an attacker to exploit CVE-2023-43641 and get code execution on your computer," said Kevin Backhouse, security researcher at GitHub Security Lab team.

Other files are also supported by tracker-miners – it has scanners for HTML, JPEG, and PDF files too – but the researcher's proof of concept (PoC) code was limited to using cue sheet files.

Exploiting libcue

Backhouse has only created working exploits for the most recent versions of Ubuntu and Fedora, 23.04 and 38 respectively, but believes any GNOME-based distro is "potentially exploitable".

The full PoCs have not been published yet to offer users time to install the patch. Backhouse said the exploits already developed work "very reliably."

The bug itself is categorized as a memory corruption flaw and has been given a provisional severity rating of 8.8 by GitHub. The CVSS score is still being determined.

An issue with the way in which the INDEX syntax of a cue sheet is handled allows a negative index to be constructed because the atoi method doesn't check for integer overflow.

The scanner's track_set_index function doesn't properly check if the index is a negative integer, and if it is negative, then an out of bounds write exploit becomes possible.

voidtrack_set_index
{
    if (i > MAXINDEX) {
        fprintf(stderr, "too many indexes\n");
                return;
    }
    track->index[i] = ind;
}

Due to the consistency of each distro's heap layout, an attacker could feasibly compile a zip archive containing individual files to exploit the same vulnerability in as many distros as they like to maximize the potential for success.

If these files were all unarchived, only the one that matches the user's distro would be needed to pull off the attack.

• Cisco warns of critical flaw in Emergency Responder code
• IT networks under attack via critical Confluence zero-day. Patch now
• Trio of TorchServe flaws means PyTorch users need an urgent upgrade
• Arm patches GPU driver bug exploited by spyware to snoop on targets

The tracker-extract process of tracker-miners makes the memory layout of each distro easier to predict because a new process is started every time tracker-miners starts, rather than contending with a process that's been running for hours.

A fresh thread is also started by tracker-extract each time. Backhouse said the heap layout in the thread's malloc arena "is very consistent" but varies between distros, meaning the multi-file zip archive would be the most effective approach for attackers.

The bonus bug

Backhouse encountered an issue when developing the PoC exploit for the vulnerability because the tracker-extract component of tracker-miners has a seccomp sandbox that prevents this kind of exploit from running.

After not realizing that he needed a sandbox escape, Backhouse tried a different method to exploit it, focusing on avoiding the function that previously threw the error, and inadvertently discovered a sandbox escape that was previously unknown to GNOME's developers.

The sandbox escape has already been fixed, and Backhouse plans to publish the original PoC with one line changed to get it to work without the sandbox escape once enough time has passed to allow users to fully patch their systems. ®