In the application opensuse-welcome used in the OpenSuse distribution for familiarization of new users with the features of the system, a vulnerability was discovered that allows the execution of code with the rights of another user. The vulnerability, identified as CVE-2023-32184, was found in the OpenSuse-Welcome application which is automatically launched when a user enters the system for the first time and, in the case of choosing the graphic environment XFCE, offers alternative options for laying out elements on the desktop.
The vulnerability is due to an incorrect processing of temporary files by the processor responsible for selecting the layout. This allowed an attacker to execute their code with the privileges of the victim who was choosing the XFCE desktop layout option. The vulnerability is specifically caused by the use of the fixed directory “/tmp/layout” in the Panellayouter method :: Applylayout() to save a TAR archive containing the XFCE settings. The archive is processed through a call to a built-in python-script, which internally calls the script “/usr/xfce4-panel-profiles/xfce4-panel-profiles/panelconfig.py” from the XFCE project. Although the Panellayouter code checked for the presence of the “/tmp/layout” directory, it failed to account for error codes returned by the functions handling deletion and copying of data. Consequently, if the “/tmp/layout” directory had the same name instead of the catalog, the function would continue execution despite the errors. This oversight allowed the attacker to manipulate the data being transmitted by the Python script.
The script panelconfig.py, launched by the Panellayouter code, not only supports XFCE configuration changes but also allows the posting of files with resources (“*RC”) in the user’s home directory. Exploiting the ability to substitute their data instead of the original TAR archive, the attacker could place additional files in the archive and have them copied to the user’s home directory. By doing so, the attacker could insert their own “.bashrc” file into the home directory