diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json index a3c40c9d67..af7a252ea0 100644 --- a/db/modules_metadata_base.json +++ b/db/modules_metadata_base.json @@ -59658,6 +59658,55 @@ "notes": { } }, + "exploit_multi/fileformat/evince_cbt_cmd_injection": { + "name": "Evince CBT File Command Injection", + "full_name": "exploit/multi/fileformat/evince_cbt_cmd_injection", + "rank": 600, + "disclosure_date": "2017-07-13", + "type": "exploit", + "author": [ + "Felix Wilhelm", + "Sebastian Krahmer", + "Matlink", + "bcoles " + ], + "description": "This module exploits a command injection vulnerability in Evince\n before version 3.24.1 when opening comic book `.cbt` files.\n\n Some file manager software, such as Nautilus and Atril, may allow\n automatic exploitation without user interaction due to thumbnailer\n preview functionality.\n\n Note that limited space is available for the payload (<256 bytes).\n Reverse Bash and Reverse Netcat payloads should be sufficiently small.\n\n This module has been tested successfully on evince versions:\n\n 3.4.0-3.1 + nautilus 3.4.2-1+build1 on Kali 1.0.6;\n 3.18.2-1ubuntu4.3 + atril 1.12.2-1ubuntu0.3 on Ubuntu 16.04.", + "references": [ + "BID-99597", + "CVE-2017-1000083", + "EDB-45824", + "URL-https://seclists.org/oss-sec/2017/q3/128", + "URL-https://bugzilla.gnome.org/show_bug.cgi?id=784630", + "URL-https://bugzilla.suse.com/show_bug.cgi?id=1046856", + "URL-https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418", + "URL-https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1800662", + "URL-https://access.redhat.com/security/cve/cve-2017-1000083", + "URL-https://security-tracker.debian.org/tracker/CVE-2017-1000083" + ], + "is_server": true, + "is_client": false, + "platform": "Unix", + "arch": "cmd", + "rport": null, + "autofilter_ports": [ + + ], + "autofilter_services": [ + + ], + "targets": [ + "Automatic" + ], + "mod_time": "2019-02-03 06:18:31 +0000", + "path": "/modules/exploits/multi/fileformat/evince_cbt_cmd_injection.rb", + "is_install_path": true, + "ref_name": "multi/fileformat/evince_cbt_cmd_injection", + "check": false, + "post_auth": false, + "default_credential": false, + "notes": { + } + }, "exploit_multi/fileformat/ghostscript_failed_restore": { "name": "Ghostscript Failed Restore Command Execution", "full_name": "exploit/multi/fileformat/ghostscript_failed_restore",