CD-indexing cue files are the core of a serious Linux remote code exploit

It has been a very very long time since the common laptop consumer considered .cue files, or cue sheets, the metadata bits that describe the tracks of an optical disc, like a CD or DVD. But cue sheets are getting consideration once more, for all the mistaken causes. They’re at the coronary heart of a one-click exploit that might give an attacker code execution on Linux methods with GNOME desktops.

CVE-2023-43641, disclosed by GitHub on October 9, is a reminiscence corruption (or out-of-bounds array writing) subject in the libcue library, which parses cue sheets. NIST has but to supply a rating for the subject, however GitHub’s submission charges it an 8.8, or “High.” While the vulnerability has been patched in the core library, Linux distributions might want to replace their desktops to repair it.

GNOME desktops have, by default, a “tracker miner” that robotically updates at any time when sure file areas in a consumer’s dwelling listing are modified. If a consumer was compelled to obtain a cue sheet that took benefit of libcue’s vulnerability, GNOME’s indexing tracker would learn the cue sheet, and code in that sheet might be executed.

Kevin Backhouse, a member of GitHub’s Security Lab, gives a video demonstration of the exploit in his weblog submit however has not but revealed the proof of idea to permit for patching. You can take a look at your system’s vulnerability in opposition to a take a look at cue sheet he gives, which ought to set off “a benign crash.”

The bug is restricted to how libcue reads the index of a disc observe or its quantity and size. Because of the system instruments it makes use of, you may trick libcue into registering a damaging quantity for an index. Then, as a result of one other half of the scanning routine does not test whether or not an index quantity is damaging earlier than it writes it to an array, an attacker can write exterior the array’s bounds. Backhouse’s proposed repair provides a single situation test to the index-setting routine.

Backhouse’s weblog submit explains additional how tracker-miners, like these in GNOME, are notably weak to this type of exploit.

The present resolution is for customers of GNOME-based distributions to replace their methods as quickly as potential. The vulnerability in libcue is patched as of model 2.3.0. Libcue is usually a quite quiet mission, maintained largely by Ilya Lipnitskiy alone. It illustrates, but once more, the huge quantities of technological infrastructure underpinned by tiny, unpaid initiatives.

This is not Backhouse’s first contribution to broad Linux vulnerabilities. He has beforehand discovered points with commonplace customers changing into root with a few instructions and a Polkit exploit that additionally supplied root entry. Backhouse, regardless of being a recurring bearer of dangerous information, added this footnote to his most up-to-date vulnerability disclosure: “I presently run Ubuntu 23.04 as my most important OS and I love the GNOME desktop setting.”