CVE-2023-50255: The Threat Inside Deepin Linux’s Archive Manager

CVE-2023-50255

Deepin is a popular Linux distribution based on the Debian “stable” branch. It’s highly praised for its aesthetically pleasing Deepin Desktop Environment, built on Qt and compatible with various distributions. Deepin Linux is known for its user-friendly interface, making it a favorite among new and experienced users.

Deepin-Compressor, the default archive manager for the Deepin Linux OS, has been identified as having a path traversal vulnerability. This flaw, tracked under CVE-2023-50255, has a concerning CVSSv3 score of 8.2, indicating its high severity.

The vulnerability manifests during the decompression of zip archives. An archive manager should typically validate file names to prevent unauthorized access to file systems. However, the deepin-compressor fails to do so. Attackers can exploit this by prefixing filenames within a zip archive with “../”, leading to unauthorized path traversal.

CVE-2023-50255

This path traversal flaw opens the door to arbitrary file writing and, more alarmingly, remote code execution. By exploiting this vulnerability, an attacker can insert malicious desktop entries under the ~/.config/autostart directory. This action allows remote code execution upon the target system’s startup, posing a significant security threat.

Security researcher Febin deserves credit for uncovering and reporting this critical flaw.

The Proof-of-Concept

Steps to create such a zip archive:

  1. Create a file for traversal
echo “TEST” > XXYXXYXXYtmpYpoc.txt
  1. Make a normal zip archive
zip poc.zip XXYXXYXXYtmpYpoc.txt
  1. Craft malicious archive

sed -i s/”XXY”/”..\/”/g poc.zip
sed -i s/”tmpY”/”tmp\/”/g poc.zip

By following the above steps, you can create a malicious zip archive, upon extracting that archive, a file named poc.txt will be created under the/tmp directory

The flaw affects versions of deepin-compressor before 5.12.21. Users running these versions are at risk and should take immediate action to secure their systems.

Users of Deepin Linux, particularly those using the affected versions of deepin-compressor, should update to the latest version immediately. Regular updates and patches are crucial in cybersecurity, and this instance is no exception.

CVE-2023-50255 serves as a stark reminder of the importance of software security, especially in widely used systems like Deepin Linux. Users are urged to remain vigilant and update their systems to safeguard against such vulnerabilities.