Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-32462 PoC — Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing

Source
https://github.com/SpiralBL0CK/CVE-2024-32462
Associated Vulnerability
Title:Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing (CVE-2024-32462)
Description:Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.
Description
CVE-2024-32462 code exec sbx escape
Readme
# CVE-2024-32462
CVE-2024-32462 code exec sbx escape

How the directory should look to compile this

    ├── org.exploit.SandboxEscape.yaml
    ├── exploit.py
    └── app/
        └── exploit.desktop

How to run & build

1.Install Flatpak SDK (if needed):
  
    flatpak install flathub org.freedesktop.Platform//21.08
  
    flatpak install flathub org.freedesktop.Sdk//21.08

2.Build the Flatpak PoC:

    flatpak-builder --force-clean build-dir org.exploit.SandboxEscape.yaml

3.Install & run:

    flatpak-builder --user --install --force-clean build-dir org.exploit.SandboxEscape.yaml
  
    flatpak run org.exploit.SandboxEscape
File Snapshot

 [4.0K]  /data/pocs/f80c87ee169414a2671a5080a7bfa860a2c90378
├── [ 219]  exploit.desktop
├── [ 586]  exploit.py
├── [ 563]  org.exploit.SandboxEscape.yaml
└── [ 659]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →