Ubuntu
nautilus package

Possible security expoit using special characters to manipulate displayed filename.

Bug #1236983 reported by Ron Platt on 2013-10-08

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Nautilus	Confirmed	Medium	gnome-bugs #549882
	nautilus (Ubuntu)	Triaged	High	Unassigned

Bug Description

Use of special characters can be used to manipulate a filename extension in Nautilus. We received a piece of malware with a filename that appears differently with Nautilus than on the command line using ls.

With Nautilus we see: NO.00123Order# POrcs.pdf
With ls in bash we see: NO.00123Order# POfdp.scr

Using od the special characters are revealed as:
ronp@ron:~/Desktop/virus$ ls *scr | od -c
0000000 N O . 0 0 1 2 3 O r d e r # P
0000020 O 342 200 256 f d p . s c r \n
0000034

Before extraction from the archive, the file appears with question marks as follows:
NO.00123Order# PO???fdp.scr

Perhaps this would be a more secure way to display the file in Nautaulis revealing the true nature of the file; scr instead of pdf.

This occurred with Nautilus 3.4.2 on Ubuntu 12.10 and Nautilus 3.6.3 on Ubuntu 13.04

We note this type of exploit has been used before:
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23930/en_US/McAfee_Labs_Threat_Advisory_XDocCrypt.pdf

Revision history for this message

Ron Platt (ronp) wrote on 2013-10-08:

This attachment is malware. Edit (487.2 KiB, application/zip)

Seth Arnold (seth-arnold) on 2013-10-08

information type:

Private Security → Public Security

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2013-10-08:

Looks like a consequence of https://bugzilla.gnome.org/show_bug.cgi?id=549882

Thanks

Revision history for this message

Sebastien Bacher (seb128) wrote on 2013-10-23:

Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue you are reporting is an upstream one and it would be nice if somebody having it could send the bug to the developers of the software by following the instructions at https://wiki.ubuntu.com/Bugs/Upstream/GNOME. If you have done so, please tell us the number of the upstream bug (or the link), so we can add a bugwatch that will inform us about its status. Thanks in advance.

Changed in nautilus (Ubuntu):
importance:	Undecided → High

Marc Deslauriers (mdeslaur) on 2013-10-25

Changed in nautilus (Ubuntu):
status:	New → Confirmed

Sebastien Bacher (seb128) on 2013-10-25

Changed in nautilus (Ubuntu):
status:	Confirmed → Triaged

Bug Watch Updater (bug-watch-updater) on 2013-12-16

Changed in nautilus:
importance:	Unknown → Medium
status:	Unknown → Confirmed

Revision history for this message

Aptivi (eofla) wrote on 2019-08-07:

It still works on Ubuntu Eoan, so not fixed yet.

Revision history for this message

Khalid Abu Shawarib (khalid-shawarib) wrote on 2024-01-16:

This is using a Unicode Right-to-Left override. Unless you want to disable bidirectional Unicode support, this should not change the way it's rendered. Instead you should be managing things like whether it's executable by double click and whether it displays a PDF icon/preview.