Created attachment 114718 [details] Proof of Concept Hello, I found an issue that may allow to maliciously deploy file at arbitrary location by opening Okular archives. When opening an Okular archive, "content.xml" is parsed in order to extract the document name (field "DocumentFileName"). If this file is also present in the archive, it is temporarily saved inside "/tmp" under a random name with "okular_XXXXXX.extension" form and is finally opened by the viewer. The issue comes from the "unpackDocumentArchive(...)" of "core/document.cpp": 1: To create the temporary name of the document, this function search extract the extension of the "DocumentFileName" using the following line: const int dotPos = documentFileName.indexOf( QLatin1Char('.') ); if ( dotPos != -1 ) archiveData->document.setFileTemplate(QDir::tempPath() + QLatin1String("/okular_XXXXXX") + documentFileName.mid(dotPos)); In case of a "DocumentFileName" named "this.is.a.test", the temporary name will have the form "/tmp/okular_XXXXXX.is.a.test". If "DocumentFileName" was "aaa.aaa/../../testXXXXXX.txt", the temporary name would become the path "/tmp/okular_XXXXXX.aaa/../../testXXXXXX.txt". 2: Before generating this name, the function "unpackDocumentArchive(...)" check if the document exists using the following code: const KArchiveEntry * docEntry = mainDir->entry( documentFileName ); if ( !docEntry || !docEntry->isFile() ) return nullptr; Archives are not supposed to contain files with relative paths but it is possible to manually craft them. As the "KArchiveDirectory" class used to parse archives do not raise any exceptions in such case, it is possible to control the path of the temporary file (with exception of the six random characters). 3: Such temporary files are supposed to be removed when closing Okular which limit the impact of this bug. However, it may be possible to forge malicious archives containing documents that would cause a crash of Okular during opening (for example a document with very large pictures to ran out of memory) in order to avoid the deletion phase. As PDF may be "polyglot" ( https://en.wikipedia.org/wiki/Polyglot_(computing) ), the document could also contain a configuration file or an executable to deploy on the victim workstation. Correcting this issue may be done by searching the last dot and not the first one on the line : const int dotPos = documentFileName.indexOf( QLatin1Char('.') ); To illustrate this issue, I have joined an Okular archive file which (when opened with "root" permission) create a polyglot (PDF/script) file named "payloadXXXXX.pdf" in the "/root/" folder. I'm apologizing for the mistakes and am available if you have any question. Best regards, Joran HERVE
You should never run okular as root, that's just bad practice and there's really no reason for anyone be doing that. Anyhow i guess the problem applies for regular users too
My suggestion at https://phabricator.kde.org/D15192
Git commit 8ff7abc14d41906ad978b6bc67e69693863b9d47 by Albert Astals Cid. Committed on 03/09/2018 at 19:14. Pushed by aacid into branch 'Applications/18.08'. Fix path traversal issue when extracting an .okular file Summary: With specially crafted .okular files you can trick okular to create temporary files outside the temporary folder We fix that by making sure the file doesn't have folders since the ones we create don't Subscribers: okular-devel Tags: #okular Differential Revision: https://phabricator.kde.org/D15192 M +12 -0 core/document.cpp https://commits.kde.org/okular/8ff7abc14d41906ad978b6bc67e69693863b9d47