2016-12-26 10:02:54 |
prajith |
description |
This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions
of the user running Shutter.
STEPS TO REPRODUCE:
1) Rename an image to something like "$(firefox)"
2) Open the renamed file in shutter
3) Click the "Run a plugin" option and select any plugin from the list and click "Run"
You should see firefox browser opened as separate process.
In line 7571-7572:/usr/bin/shutter
$session_screens{$key}->{'filetype'} = $session_screens{$key}->{'short'};
$session_screens{$key}->{'filetype'} =~ s/.*\.//ig;
if the file doesn't any have extension, $session_screens{$key}->{'filetype'} simply returns the actual filename instead of "undef".
In line 7163:/usr/bin/shutter
exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) );
by passing unescaped shell characters "$session_screens{$key}->{'filetype'}" to exec function, it directly get executed as current running user. |
This vulnerability is almost same as CVE-2015-0854. If you click "Run a plugin" option while viewing a file with a specially-crafted filename allows arbitrary code execution with the permissions
of the user running Shutter.
STEPS TO REPRODUCE:
1) Rename an image to something like "$(firefox)"
2) Open the renamed file in shutter
3) Click the "Run a plugin" option and select any plugin from the list and click "Run"
You should see firefox browser opened as separate process.
In line 7571-7572:/usr/bin/shutter
$session_screens{$key}->{'filetype'} = $session_screens{$key}->{'short'};
$session_screens{$key}->{'filetype'} =~ s/.*\.//ig;
if the file doesn't any have extension, $session_screens{$key}->{'filetype'} simply returns the actual filename instead of "undef".
In line 7163:/usr/bin/shutter
exec( sprintf( "$^X $plugin_value %d $qfilename $session_screens{$key}->{'width'} $session_screens{$key}->{'height'} $session_screens{$key}->{'filetype'}\n", $socket->get_id ) );
by passing unescaped shell characters "$session_screens{$key}->{'filetype'}" to exec function, it directly gets executed as current running user. |
|