.desktop files provide simple infection vector for trojans
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Nautilus |
Fix Released
|
Wishlist
|
|||
nautilus (Debian) |
Fix Released
|
Unknown
|
|||
nautilus (Ubuntu) |
Fix Released
|
High
|
Ubuntu Desktop Bugs |
Bug Description
Binary package hint: nautilus
An attacker may cause the user to run a .desktop file containing executable code, without that file having the executable attribute.
I demonstration exploits are available here:
http://
If saved to the desktop, which may be the default for application/
Clicking the icon causes the embedded python code to display a window containing the message 'owned'. Embedded code could do anything which the user has privileges to perform.
This is an extremely short distance from download to execution of code and should be considered a serious vulnerability, akin to double extensions on MS Windows and execute attachments/
This issue has been discussed previously on the xdg mailing list:
http://
However I feel the default behavior of Nautilus warrants this bug report.
Related branches
Changed in nautilus: | |
importance: | Medium → Low |
status: | New → Triaged |
Changed in nautilus: | |
status: | Unknown → New |
Changed in nautilus: | |
importance: | Low → High |
milestone: | none → later |
status: | Triaged → Confirmed |
Changed in nautilus: | |
status: | Unknown → Fix Released |
Changed in nautilus: | |
status: | Unknown → New |
Changed in nautilus: | |
importance: | Unknown → Wishlist |
Changed in nautilus (Debian): | |
status: | New → Fix Released |
This is still exploitable in Ubuntu 8.04, text of email I just sent to <email address hidden> follows:
I just tested this using Firefox 3 on Ubuntu 8.04 with Gnome 2.22.2.
trojan.desktop Displayed in Firefox as a plain text file
trojan-axd.desktop Asked to save or open the file:
* If saved default location is desktop. Appears with jpeg icon and
file name 'hot goats.jpg'. Double clicking causes the code to
run (displays 'Owned' in a small window).
* If open with chosen, following message is displayed "The
application you chose ("(null)") could not be found. Check the
file name or choose another application."
trojan-aos.desktop Treated as executable by Firefox may only save file
* If Save file clicked, file is saved to Desktop, no choice.
* Once saved it behaves like trojan-axd.desktop.
I now have multiple icons on my desktop, all apparently called 'hot
goats.jpg' (without quotes). All of them run the embedded python code.
alex@martha: ~/Documents/ primes$ ls /home/alex/ Desktop/ trojan* Desktop/ trojan- aos(2). desktop Desktop/ trojan- aos(3). desktop Desktop/ trojan- aos.desktop Desktop/ trojan- axd(2). desktop Desktop/ trojan- axd.desktop
/home/alex/
/home/alex/
/home/alex/
/home/alex/
/home/alex/