This Metasploit module exploits a command injection vulnerability in Evince before version 3.24.1 when opening comic book `.cbt` files. Some file manager software, such as Nautilus and Atril, may allow automatic exploitation without user interaction due to thumbnailer preview functionality. Note that limited space is available for the payload.
be7441cb5d0ca4f4495067990292385a52fbdd586a1d34cad46036dcc7576c4cEvince version 3.24.0 suffers from a command injection vulnerability.
d6ee91ce364604fed7dad5bab2fc980ac42e3d5eca3fbd4d82a3c4e8ed364afcRed Hat Security Advisory 2017-2388-01 - The evince packages provide a simple multi-page document viewer for Portable Document Format, PostScript, Encapsulated PostScript files, and, with additional back-ends, also the Device Independent File format files. Security Fix: It was found that evince did not properly sanitize the command line which is run to untar Comic Book Tar files, thereby allowing command injection. A specially crafted CBT file, when opened by evince or evince-thumbnailer, could execute arbitrary commands in the context of the evince program.
512dd80e6b0c1060a6cb4f99fb426012f9774d3425ee63fcc42fa0968e9026c5Ubuntu Security Notice 3351-1 - Felix Wilhelm discovered that Evince did not safely invoke tar when handling tar comic book files. An attacker could use this to construct a malicious cbt comic book format file that, when opened in Evince, executes arbitrary code. Please note that this update disables support for cbt files in Evince.
3fe5d19b26214d0b95ad2ff9a1f3a7333b9d4af545c0497976e300077f278004
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed