Ubuntu
nautilus package

.desktop files provide simple infection vector for trojans

Bug #153438 reported by Alex Willmer
260
Affects Status Importance Assigned to Milestone
Nautilus
Fix Released
Wishlist
nautilus (Debian)
Fix Released
Unknown
nautilus (Ubuntu)
Fix Released
High
Ubuntu Desktop Bugs
Ubuntu later

Bug Description

Binary package hint: nautilus

An attacker may cause the user to run a .desktop file containing executable code, without that file having the executable attribute.

I demonstration exploits are available here:
http://robots.org.uk/fdo-desktop-entry-vulnerability/

If saved to the desktop, which may be the default for application/octet-stream this file appears as 'hot goats.jpg', with a photo icon. No indication is given that code will execute, should the file be opened.

Clicking the icon causes the embedded python code to display a window containing the message 'owned'. Embedded code could do anything which the user has privileges to perform.

This is an extremely short distance from download to execution of code and should be considered a serious vulnerability, akin to double extensions on MS Windows and execute attachments/downloads behavior.

This issue has been discussed previously on the xdg mailing list:
http://lists.freedesktop.org/archives/xdg/2006-April/006357.html

However I feel the default behavior of Nautilus warrants this bug report.

Related branches

lp:ubuntu/lucid/nautilus
Revision history for this message
Alex Willmer (alex-moreati) wrote :

This is still exploitable in Ubuntu 8.04, text of email I just sent to <email address hidden> follows:

I just tested this using Firefox 3 on Ubuntu 8.04 with Gnome 2.22.2.

trojan.desktop Displayed in Firefox as a plain text file

trojan-axd.desktop Asked to save or open the file:
      * If saved default location is desktop. Appears with jpeg icon and
        file name 'hot goats.jpg'. Double clicking causes the code to
        run (displays 'Owned' in a small window).
      * If open with chosen, following message is displayed "The
        application you chose ("(null)") could not be found. Check the
        file name or choose another application."

trojan-aos.desktop Treated as executable by Firefox may only save file
      * If Save file clicked, file is saved to Desktop, no choice.
      * Once saved it behaves like trojan-axd.desktop.

I now have multiple icons on my desktop, all apparently called 'hot
goats.jpg' (without quotes). All of them run the embedded python code.

alex@martha:~/Documents/primes$ ls /home/alex/Desktop/trojan*
/home/alex/Desktop/trojan-aos(2).desktop
/home/alex/Desktop/trojan-aos(3).desktop
/home/alex/Desktop/trojan-aos.desktop
/home/alex/Desktop/trojan-axd(2).desktop
/home/alex/Desktop/trojan-axd.desktop

Revision history for this message
Pedro Villavicencio (pedro) wrote :

thansk fr the report, this needs to be send to the upstream authors of nautilus at bugzilla.gnome.org since they writ the code, for forwarding instructions please have a look to https://wiki.ubuntu.com/Bugs/Upstream/GNOME; thanks.

Changed in nautilus:
assignee: nobody → desktop-bugs
importance: Undecided → Medium
Sebastien Bacher (seb128)
Changed in nautilus:
importance: Medium → Low
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in nautilus:
status: Unknown → New
Revision history for this message
Bryce Harrington (bryce) wrote :

http://www.geekzone.co.nz/foobar/6229

Kees Cook (kees)
Changed in nautilus:
importance: Low → High
milestone: none → later
status: Triaged → Confirmed
Revision history for this message
Laurent Bonnaud (laurent-bonnaud) wrote :

How about using the patch from Debian ? See:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=408948
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=408556

Revision history for this message
Sebastien Bacher (seb128) wrote :

Laurent those changes were used but don't apply to the new gio codebase, they are not activated in debian experimental either

Revision history for this message
Laurent Bonnaud (laurent-bonnaud) wrote : Re: [Bug 153438] Re: .desktop files provide simple infection vector for trojans

On Fri, 2009-02-13 at 09:10 +0000, Sebastien Bacher wrote:

> Laurent those changes were used but don't apply to the new gio codebase,

Too bad.

> they are not activated in debian experimental either

The Debian bug reports are archived, therefore I will report another one
and link it to this LP bug...

--
Laurent Bonnaud.
http://www.lis.inpg.fr/pages_perso/bonnaud/

Revision history for this message
otzenpunk (reisswolf-nospam) wrote :

Added Gnome bug #572203, because the other referenced Gnome bug is outdated.

Changed in nautilus:
status: New → Unknown
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nautilus - 1:2.25.92-0ubuntu1

---------------
nautilus (1:2.25.92-0ubuntu1) jaunty; urgency=low

  * New upstream version:
    - Set mmap limit to avoid desktop background memory not being returned to the os
    - Warn when source overwrites destination in move
    - Don't put "link to ..." in front of symlinks unless there are name conflicts
    - Fix desktop flicker on theme change (lp: #327974)
    - Require desktop file app launchers to be executable (lp: #153438)
    - Support making symlinks on remote locations

 -- Sebastien Bacher <email address hidden> Mon, 02 Mar 2009 18:33:40 +0100

Changed in nautilus:
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in nautilus:
status: Unknown → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in nautilus:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in nautilus:
importance: Unknown → Wishlist
Bug Watch Updater (bug-watch-updater)
Changed in nautilus (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.