Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-50254 PoC — deepin-reader 安全漏洞

Source
https://github.com/febinrev/deepin-linux_reader_RCE-exploit
Associated Vulnerability
Title:deepin-reader 安全漏洞 (CVE-2023-50254)
Description:deepin-reader是Wuhan deepin Technology Co开源的一款小巧、快速、功能齐全的文档查看工具。 deepin-reader 6.0.7之前版本存在安全漏洞,该漏洞源于存在文件覆盖漏洞,可能会导致远程代码执行(RCE)。
Description
CVE-2023-50254: PoC Exploit for Deepin-reader RCE that affects unpatched Deepin Linux Desktops. Deepin Linux's default document reader "deepin-reader" software suffers from a serious vulnerability due to a design flaw that leads to Remote Command Execution via crafted docx document.
Readme
# CVE-2023-50254 - Deepin Linux's default document viewer deepin-reader RCE
CVE-2023-50254: PoC Exploit for Deepin-reader RCE that affects unpatched Deepin Linux Desktops. Deepin Linux's default document reader "deepin-reader" software suffers from a serious vulnerability due to a design flaw that leads to Remote Command Execution via crafted docx document.

Details

Deepin-reader is the default document reader for the Operating System Deepin Linux. The deepin-reader performs some shell command operations while dealing with docx document format.

1. When opening a docx document , deepin-reader creates a temporary directory under /tmp and places the docx document under the directory

2. Then deepin-reader calls the "unzip" shell command to extract the docx file

3. After the extraction process, deepin-reader calls "pandoc" command to convert the docx file to an html file named "temp.html" under word/ directory (created when the docx file is extracted with unzip). The command will look something like this, "pandoc temp.docx -o word/temp.html

4. Then deepin-reader will try to convert that HTML file to pdf and open the pdf.

This happens when we open a docx file in Deepin Linux OS.
![image](https://github.com/febinrev/deepin-linux_reader_RCE-exploit/assets/52229330/57fed21a-025b-44d6-83fc-1ab51b2a8946)

This behavior can be exploited by placing a symlink named word/temp.html inside a crafted malicious docx pointing to any file inside the target system.

So, while opening the docx file, pandoc will write to the system file that the symlink word/temp.html is pointing to.


This is a File overwrite vulnerability.
A Remote Code Execution can be achieved by overwriting files like .bash_rc, .bash_login, etc. Rce will be triggered when the user opens the terminal.


Advisory: https://github.com/linuxdeepin/developer-center/security/advisories/GHSA-q9jr-726g-9495
File Snapshot

 [4.0K]  /data/pocs/c0aafd12539d5336016e3b34e0688a61804863a4
├── [2.0K]  deepin-reader_exploit.sh
└── [1.8K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.