CD-indexing cue files are the core of a serious Linux remote code exploit

It has been a really very long time because the common laptop person considered .cue files, or cue sheets, the metadata bits that describe the tracks of an optical disc, like a CD or DVD. However cue sheets are getting consideration once more, for all of the unsuitable causes. They’re on the coronary heart of a one-click exploit that might give an attacker code execution on Linux methods with GNOME desktops.

CVE-2023-43641, disclosed by GitHub on October 9, is a reminiscence corruption (or out-of-bounds array writing) situation within the libcue library, which parses cue sheets. NIST has but to offer a rating for the problem, however GitHub’s submission charges it an 8.8, or “Excessive.” Whereas the vulnerability has been patched within the core library, Linux distributions might want to replace their desktops to repair it.

GNOME desktops have, by default, a “tracker miner” that routinely updates every time sure file places in a person’s house listing are modified. If a person was compelled to obtain a cue sheet that took benefit of libcue’s vulnerability, GNOME’s indexing tracker would learn the cue sheet, and code in that sheet may very well be executed.

Kevin Backhouse, a member of GitHub’s Safety Lab, gives a video demonstration of the exploit in his blog post however has not but printed the proof of idea to permit for patching. You may check your system’s vulnerability towards a test cue sheet he offers, which ought to set off “a benign crash.”

The bug is restricted to how libcue reads the index of a disc observe or its quantity and size. Due to the system instruments it makes use of, you may trick libcue into registering a unfavourable quantity for an index. Then, as a result of one other a part of the scanning routine does not examine whether or not an index quantity is unfavourable earlier than it writes it to an array, an attacker can write exterior the array’s bounds. Backhouse’s proposed repair provides a single condition check to the index-setting routine.

Backhouse’s weblog submit explains additional how tracker-miners, like these in GNOME, are notably weak to this sort of exploit.

The present answer is for customers of GNOME-based distributions to replace their methods as quickly as doable. The vulnerability in libcue is patched as of model 2.3.0. Libcue is often a somewhat quiet challenge, maintained largely by Ilya Lipnitskiy alone. It illustrates, but once more, the huge quantities of technological infrastructure underpinned by tiny, unpaid projects.

This is not Backhouse’s first contribution to broad Linux vulnerabilities. He has beforehand discovered points with standard users becoming root with a few commands and a Polkit exploit that also offered root access. Backhouse, regardless of being a recurring bearer of dangerous information, added this footnote to his most up-to-date vulnerability disclosure: “I at present run Ubuntu 23.04 as my principal OS and I love the GNOME desktop surroundings.”