CVE-2023-44452 & 51698: The Linux Mint Xreader/MATE Atril RCE Vulnerability
Two menacing new vulnerabilities, CVE-2023-44452, and CVE-2023-51698, have been unmasked within the Linux universe. This critical Remote Code Execution (RCE) flaw, discovered by security researcher Febin Mon Saji, targets unsuspecting users of popular Linux distributions, turning an innocuous act of file viewing into a gateway for cyber exploitation.
This alarming security flaw predominantly impacts users of the Linux Mint, Kali Linux, Parrot OS, and various distributions featuring MATE, Cinnamon, and some Xfce desktop environments. The affected software components include all versions of Atril and Xreader, the default document viewers in these environments. Users of these systems are susceptible to an attack that requires little more than opening a seemingly harmless document.
The vulnerability lies in the parsing of CBT (Comic Book TAR) files. These files, typically harmless archives containing images, become weapons in the hands of a skilled attacker. The exploit hinges on a vulnerable code segment in Atril and Xreader, which incorrectly handles shell commands used for decompressing these comic book documents.
The crux of the exploit involves the ‘tar’ command’s ‘–checkpoint-action’ option, which can be manipulated to execute arbitrary commands on the target system. This technique was notably leveraged against the Evince Document viewer in 2017 and has since reemerged in its forked versions, Atril and Xreader.
The exploitation methods vary across desktop environments. In environments like MATE, the presence of an additional component, atril-previewer, allows for exploitation merely through a crafted URL. A crafted webpage can trigger an automatic download of a malicious CBT file, leading to automatic execution when the user accesses their Downloads directory.
In contrast, users of the Linux Mint Cinnamon Desktop Environment must actively open the malicious document to trigger the payload, as Xreader does not feature a similar previewer component.
While efforts were made to patch this vulnerability in the past, these fixes have proven insufficient. Atril’s initial patch, which was intended to halt the process if a “–checkpoint-action=” string is detected, fails when larger image files are used in the exploit. This loophole allows the vulnerability to persist and be exploited under certain conditions.
Security researcher Febin Mon Saji, who unearthed this flaw, has published a proof-of-concept and released a video demonstration, bringing to light the severity and potential impact of this vulnerability. His findings underscore the necessity for heightened vigilance and prompt action in the Linux community.