RedStar OS 3.0: Remote Arbitrary Command Injection

Red Star OS is a North Korean linux based operating system. Multiple versions of RedStar OS in desktop and server format have been leaked over the past few years and excellent presentations at CCC [1] & [2] have revealed interesting findings on its internals. Hacker House team have previously disclosed a number of local root vulnerabilities [3] & [4] in Red Star OS to show how insecure programming practices are in use by the RedStar OS developers. We are sharing another amusing example of this in the form of a remote client-side command injection vulnerability to mark RedStar’s anniversary leak. This exploit is a client-side remote exploit which can be triggered from the Internet/Intranet and used to install malware or exploit computers running RedStar OS just by having a user click a hyperlink. The web browser that ships with Red Star OS is known as “Naenara”[5] and contains trivial remote exploit attack vectors. You can download the leaked Red Star OS images from [6]. We tested this exploit against RedStar OS 3.0 desktop in Naenara 3.5. Whilst probing for vulnerabilities it was noticed that registered URL handlers were passed to a command line utility “/usr/bin/nnrurlshow”. This application (aside from having null ptr de-refs and other cute bugs) takes URI arguments for registered URI handlers when handling application requests such as “mailto” and “cal”. Naenara doesn’t sanitize the command line when handling these URI argument requests and as such you can trivially obtain code execution by passing malformed links to the nnrurlshow binary. An attacker can get a user of RedStar OS 3.0 to execute arbitrary commands by enticing them to click on a link which points to “mailto:`cmd`”. Commands will then be executed as arguments when passed to evolution mail. An example of exploitation can be seen in the image below with the output of the “id” command visibly shown in the evolution-based mail client output.

lol2

We hope you enjoyed this extremely trivial to exploit vulnerability which can be used to compromise computers running RedStar OS 3.0 remotely through the web browser. You can also watch a video of this exploit in action here – Naenara 3.5 browser exploit.

References:
[1] Lifting the Fog on Red Star OS [32c3] – YouTube
[2] Computer Science in the DPRK
[3] Red Star 2.0 local root exploit
[4] Red Star 3.0 local root exploit
[5] Naenara browser (wikipedia)
[6] RedStar OS download links

Comments are closed.