Folder Color

caja folder-color.py -> Shell Injection with icon theme

Bug #1531599 reported by Bernd Dietzel on 2016-01-06

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Folder Color	Fix Released	Undecided	costales

Bug Description

OS: UbuntuMATE 15.10
File : /usr/share/caja-python/extensions/folder-color.py
Version : Folder Color 0.0.78

By changing the folder color, shell code can be injected by a icon theme.
The python script uses os.system.

Line : 783
# MATE
os.system('gsettings set org.mate.interface icon-theme "%s"' % theme)

Exploit Example :
1) Copy some icon theme into the user .icons folder and rename it to this name :

/home/<user>/.icons/The `xeyes` icon theme/

2) Edit this file : index.theme

[Icon Theme]
Name=The `xeyes` icon theme

3) Use the icon theme

4) Run caja and then rigthclick onto a folder and change his color to the GLOBAL color blue.

5) The program xeyes starts several times as a proof of concept

-------

The mint team seems to have a bugfixed Version :
https://github.com/linuxmint/folder-color-switcher/blob/master/caja-extensions/caja-folder-color-switcher.py

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2016-01-06:

Demo Video (german)
https://youtu.be/3IP8dh7NCpw

information type:

Private Security → Public Security

costales (costales) on 2016-01-20

Changed in folder-color:
status:	New → In Progress
assignee:	nobody → costales (costales)

Revision history for this message

costales (costales) wrote on 2016-01-23:

folder-color.py Edit (33.3 KiB, text/x-python)

Hi Bernd! !o/ Your hacking is awesome! :)

Could you overwrite this file:
/usr/share/caja-python/extensions/folder-color.py
with the attachment 'folder-color.py'?

And then:
caja -q
caja

And check if all is working as it should be now? :)

Thanks a lot mate!

Changed in folder-color:
status:	In Progress → Fix Committed

Revision history for this message

Bernd Dietzel (l-ubuntuone1104) wrote on 2016-01-24:

Hi costales,
OK , works, no injections any more :-)

Maybe you like to call _run_cmd() in _reload_icon() and set_emblem() ,too ?
So you have only one function in the code which cares about the subprocess calls.

Thank you, too ;-)
Bernd

Revision history for this message

costales (costales) wrote on 2016-01-24:

Great :) Thanks a lot for the test |o/

I'll wait until tomorrow for the translations and I'll release it.

_run_cmd() is in another class, I'll leave like that, it is not a big deal :)

A really big hug and thanks again Bernd ;)

Revision history for this message

costales (costales) wrote on 2016-01-25:

Uploaded and sent to Bhavani for upload

Changed in folder-color:
status:	Fix Committed → Fix Released

Martin Wimpress  (flexiondotorg) on 2016-01-27

no longer affects:

ubuntu-mate

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

folder-color.py Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.