A vulnerability contained in the libcue library creates a vulnerability in Gnome that allows attackers to inject malicious code into victims with just one click. Updates for Gnome are available that resolve the issue. IT managers should apply them quickly.
As Kevin Backhouse from Github Security Lab writes in an analysis, this is a potential memory scrambling in the libcue library. CUE is more likely to mean something to older people. This is metadata about CD images, such as the start and end times of the individual tracks. According to Backhouse, these are still used in the context of the FLAC audio codec.
Gnome vulnerability: Inconspicuous library with a big impact
That’s why numerous audio players like Audacious still process such files today. Gnome also comes with the tracker-miners application. This indexes the files in the user home directory to make them easily searchable. If files are stored or changed in certain subdirectories of the home directory such as ~/Downloads, tracker-miners updates the index.
An attacker therefore only needs to convince a potential victim to click on a link that leads to downloading the malicious code. This is finally executed through automatic indexing.
Incorrect processing in libcue
libcue contained a bug when processing the “INDEX” element in the cue sheets. The error can be triggered if “INDEX 4294567296 0” appears in the cue sheet instead of “INDEX 01 00:00:00” (format i.e. index, track number, start time). This creates an integer overflow due to the functions used, as the value 2^32 is converted into -400000 by the atoi function. Another function (track_set_index) does not check the index to see whether it is positive. As a result, the code can write at the location outside the intended memory areas.
Backhouse further explains that he still had to bypass Address Space Layout Randomization (ASLR) for a working proof-of-concept. And a seccomp sandbox that tracker-miners relies on to protect against such exploits. Backhouse is holding back the proof-of-concept code for the time being so that as many IT managers and users as possible can update their Gnome desktop.
Kevin Backhouse clearly enjoyed creating the security alert. In the example cue sheets and music files there are constant references to Rick Astley and his 80s hit “Never gonna give you up”. However, the video or song doesn’t play at any point, so it’s probably an unfinished Rickroll. It’s still a catchy tune for those who still know it.
Gnome users should install the update quickly. For the recently discovered glibc vulnerability, stable proof-of-concept exploits appeared just two days after it became known, allowing malicious actors to easily abuse the vulnerability.
To the home page
#libcue #vulnerability #opens #security #leak #Gnome