CVE-2023-50254: Deepin Reader Remote Code Execution Vulnerability

Deepin Linux has long been celebrated for its aesthetics and user-friendliness, especially among open-source enthusiasts. Developed by a Chinese team, it has earned a reputation for being one of the most visually appealing Linux distributions available. However, in the world of cybersecurity, even the most elegant systems can house dangerous vulnerabilities. This brings us to a critical flaw discovered in Deepin Linux’s default document reader, deepin-reader.

The deepin-reader, an integral part of the Deepin Linux ecosystem, is designed to offer seamless document viewing and management. However, beneath its efficient facade lurks a design flaw with severe implications: remote command execution through a carefully crafted docx document.

The vulnerability unfolds in a multi-step process that begins innocently enough. When a user opens a docx file, deepin-reader creates a temporary directory in /tmp and places the docx document there. It then employs the “unzip” shell command to extract the file. This is where things get tricky.

Post-extraction, deepin-reader calls on “pandoc” to convert the docx file to an HTML file, “temp.html”, in the “word/” directory. This process seems straightforward, but it’s precisely here that the vulnerability takes shape. The seemingly benign conversion is the gateway to potential system compromise.

Attackers exploit this vulnerability by embedding a symlink named “word/temp.html” within a malicious docx file. This symlink can point to any file within the target system. Consequently, when pandoc writes to “word/temp.html”, it’s overwriting a system file that the symlink points to, unbeknownst to the user.

Tracked as CVE-2023-50254 and assigned a high CVSS score of 8.2, this vulnerability affects versions of deepin-reader prior to 6.0.7. It’s classified as a file overwrite vulnerability but holds the potential for something more sinister: remote code execution.

Remote code execution (RCE) is achievable by overwriting critical files like .bash_rc or .bash_login. The danger materializes when the user opens the terminal, triggering the RCE. It’s a stark reminder of how seemingly benign operations can escalate into full-blown security emergencies.

The cybersecurity community owes its gratitude to security researcher Febin. Not only did Febin identify this flaw, but they also took the responsible step of publishing a proof-of-concept, aiding in the broader understanding of the vulnerability.

The Deepin team has released a patch to address this issue. So, if you’re a Deepin user, updating your system to the latest version is your best defense against the CVE-2023-50254 flaw.