Security: Arbitrary shell command injection through PDF import or unpaper preprocessing
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ocrfeeder (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
I have discovered a security vulnerability that allows a malicious actor to inject arbitrary shell commands into a system running `ocrfeeder` with automatic `unpaper` pre-processing enabled.
Proof of concept:
- Create a PDF file with the name `foo; nautilus; bar.pdf`
- Open `ocrfeeder`
- Ensure that settings -> tools -> unpaper images is checked
- Import the PDF file
- `nautilus` is started (If your particular system doesn't have nautilus, you can use any other executable here)
The vulnerability presents itself as follows: When `ocrfeeder` generates the temporary file as an input for `unpaper`, it keeps the name of the originally imported PDF intact (see https:/
Since `ocrfeeder-cli` does not support `unpaper` as far as I understand, exploiting this vulnerability requires the user to explicitly import the malicious file, which leads me to believe that zero-click exploitation is not possible at the moment.
I have also reported this issue to https:/
Metadata:
system: Ubuntu 20.04.4 LTS
affected package version: ocrfeeder 0.8.1+git202001
CVE References
information type: | Private Security → Public Security |
Changed in ocrfeeder (Ubuntu): | |
status: | New → Confirmed |
Digging further, I was able to expand on this. ocrfeeder also uses Python's subprocess.run(cmd, shell=True) when it converts pdf files to images (see https:/ /gitlab. gnome.org/ GNOME/ocrfeeder /-/blob/ master/ src/ocrfeeder/ util/lib. py#L104). While quotation marks are used, nothing prevents us from injecting a subshell into the filename.
Proof of Concept: .pdf`
- keep settings -> tools -> unpaper images turned OFF
- create a PDF file with name `foo$(nautilus)
- Import the PDF file
- `nautilus` is started
The vulnerability causes the subshell to be started when orcfeeder invokes `gs` to convert the PDF file into individual images. This vector is slightly more effective, since it doesn't require the user to have the unpaper option turned on.
EDIT: This was apparently fixed upstream in https:/ /gitlab. gnome.org/ GNOME/ocrfeeder /-/commit/ 5286120c8bc8b7b a74e0f9b19b5262 b509f38cee but the version in the package repository is still affected.