caja -> Shell Injection with icon theme

Bug #1531599 reported by Bernd Dietzel on 2016-01-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Folder Color

Bug Description

OS: UbuntuMATE 15.10
File : /usr/share/caja-python/extensions/
Version : Folder Color 0.0.78

By changing the folder color, shell code can be injected by a icon theme.
The python script uses os.system.

Line : 783
        # MATE
        os.system('gsettings set org.mate.interface icon-theme "%s"' % theme)

Exploit Example :
1) Copy some icon theme into the user .icons folder and rename it to this name :

/home/<user>/.icons/The `xeyes` icon theme/

2) Edit this file : index.theme

[Icon Theme]
Name=The `xeyes` icon theme

3) Use the icon theme

4) Run caja and then rigthclick onto a folder and change his color to the GLOBAL color blue.

5) The program xeyes starts several times as a proof of concept


The mint team seems to have a bugfixed Version :

Bernd Dietzel (l-ubuntuone1104) wrote :

Demo Video (german)

information type: Private Security → Public Security
costales (costales) on 2016-01-20
Changed in folder-color:
status: New → In Progress
assignee: nobody → costales (costales)
costales (costales) wrote :

Hi Bernd! !o/ Your hacking is awesome! :)

Could you overwrite this file:
with the attachment ''?

And then:
caja -q

And check if all is working as it should be now? :)

Thanks a lot mate!

Changed in folder-color:
status: In Progress → Fix Committed
Bernd Dietzel (l-ubuntuone1104) wrote :

Hi costales,
OK , works, no injections any more :-)

Maybe you like to call _run_cmd() in _reload_icon() and set_emblem() ,too ?
So you have only one function in the code which cares about the subprocess calls.

Thank you, too ;-)

costales (costales) wrote :

Great :) Thanks a lot for the test |o/

I'll wait until tomorrow for the translations and I'll release it.

_run_cmd() is in another class, I'll leave like that, it is not a big deal :)

A really big hug and thanks again Bernd ;)

costales (costales) wrote :

Uploaded and sent to Bhavani for upload

Changed in folder-color:
status: Fix Committed → Fix Released
no longer affects: ubuntu-mate
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments