CVE-2024-36472: Untrusted JavaScript Code Execution in GNOME Shell through 45.7 by Exploiting Portal Helper Vulnerability

In this long-read post, we will dive into a critical vulnerability discovered in the GNOME Shell through version 45.7 (CVE-2024-36472), which allows an attacker to execute untrusted JavaScript code automatically via a portal helper without user confirmation. This security flaw can lead to resource consumption or other severe impacts on the affected system depending on the JavaScript code behavior. We will provide you a code snippet to understand the vulnerability and exploit details, along with links to original references.

Background

The GNOME Shell is the graphical interface for all GNOME-based desktop environments typically found on Linux systems. A crucial part of GNOME Shell is the portal helper, a tool responsible for handling certain operations, such as opening web pages. In the affected version of GNOME Shell, a flaw in this tool has been discovered that can be leveraged by an attacker to execute untrusted JavaScript code without user confirmation based on network responses provided by the attacker (e.g., an attacker who controls the local Wi-Fi network).

Original References

- CVE-2024-36472 Details
- GNOME GitLab Issue

Code Snippet

The following code snippet demonstrates the weak point in the GNOME Shell that allows launching the portal helper without user confirmation:

// Signaling from NetworkManager: _onPortalDetected()
_onPortalDetected() {
    ...
    // Add an entry to recentManager with the portal helper.
    recentManager.addItem(manager.getModelForRow(row));
    ...
    // Run the portal helper automatically.
    this._runPortalHelper();
}

Exploit Details

Set up a rogue Wi-Fi access point or control the local Wi-Fi network somehow.

2. Force the GNOME Shell to detect the rogue access point as a captive portal, thus invoking the _onPortalDetected() function.
3. Provide a malicious network response containing untrusted JavaScript code when the GNOME Shell requests the portal helper.

Once the above steps are executed successfully, the untrusted JavaScript code will run on the victim's system, leading to possible resource consumption or other impacts depending on the JavaScript code behavior.

Mitigation and Conclusion

To mitigate this vulnerability, it's highly recommended to update the GNOME Shell to version 45.8 or newer, which contains a patch that fixes this issue. You may find the update in your Linux distribution's package manager or directly through the GNOME Shell GitLab repository.

In summary, CVE-2024-36472 is a critical vulnerability in the GNOME Shell through version 45.7 that allows automatic execution of untrusted JavaScript code by exploiting the portal helper. By understanding how this vulnerability works and taking appropriate measures, such as updating to the latest version of GNOME Shell, users can protect their systems from potential attacks.

Timeline

Published on: 05/28/2024 16:15:17 UTC
Last modified on: 05/28/2024 17:11:47 UTC