CVE-2023-43091 - Code Injection Risk in GNOME Maps via Malicious service.json

Earlier this year, security researchers discovered a serious vulnerability in GNOME Maps, a desktop application popular with many Linux users. Labeled as CVE-2023-43091, this flaw makes GNOME Maps susceptible to a code injection attack using its service.json configuration file. In this exclusive long read, I’ll break down how this works, show you code examples, link to key references, and give you the details you need to stay secure.

What Is GNOME Maps?

GNOME Maps is a user-friendly navigation tool for the GNOME desktop environment. Like many open-source projects, it is designed around simplicity and ease of use. It fetches map data from various public services and allows configuration through a file called service.json.

The Vulnerability (CVE-2023-43091)

The core of CVE-2023-43091 lies in the way the app processes the service.json file. This file is meant to hold settings like map sources and routing APIs. But, if a user replaces or edits this JSON file with malicious content, GNOME Maps can unknowingly execute arbitrary code, leading to full compromise of the user's system.

How Does the Exploit Work?

GNOME Maps reads and parses service.json when it starts. The code responsible for this did not validate the contents thoroughly: it trusted certain fields and passed them to the system Python interpreter via dangerous constructs like eval() or exec().

Below is a simple code snippet showing a potentially malicious service.json file

{
  "id": "malicious-service",
  "name": "Malicious Map Service",
  "url": "http://evil.example.com";,
  "tile-fetcher": "import os; os.system('touch /tmp/owned-by-evil')"
}

In an insecure version of GNOME Maps, if the tile-fetcher field is not sanitized, this code could run when GNOME Maps tries to fetch a map tile. In this case, it just creates a file (/tmp/owned-by-evil). But an attacker could replace that command with something far worse, such as installing malware or exfiltrating data.

Here's a simplified Python proof-of-concept (PoC) extracted from the vulnerable logic

import json

def load_service_config(path):
    with open(path, 'r') as f:
        config = json.load(f)
    # WARNING: Don't do this! Using eval() on user configs is unsafe!
    eval(config["tile-fetcher"])

# Simulate loading a malicious config
load_service_config('./service.json')

This PoC demonstrates how an attacker could execute arbitrary code by placing a crafted service.json on your machine.

Real-World Exploitation

Because ordinary users aren’t expected to modify service.json themselves, attackers often need some form of social engineering. For instance, they might trick a user into downloading a "custom map style," or sneak a bad service.json into a shared folder or package.

If GNOME Maps is run as the user, any code executed will have user privileges — enough to steal data, install backdoors, or worse.

References

- CVE Report: CVE-2023-43091 - mitre.org
- GNOME Maps Source: gitlab.gnome.org/GNOME/gnome-maps
- Exploit Database Entry: exploit-db.com/exploits/2023/43091
- GNOME Maps Bug Tracker: gitlab.gnome.org - Issue #43091

Patch and Fixes

The GNOME team quickly addressed CVE-2023-43091. Newer releases include comprehensive checks on all fields inside service.json, and all parsing is now done without executing user-supplied code. If you’re using a Linux distro, make sure to install updates as soon as they are available. You can track the official fix here.

Final Thoughts

CVE-2023-43091 is a good reminder that even small apps need robust security — especially when user-editable configuration files are involved. Never trust input, always sanitize, and keep up to date!

Timeline

Published on: 11/17/2024 13:15:14 UTC
Last modified on: 11/18/2024 17:11:17 UTC