Ubuntu

Malicious executable code defaults to "Open with", cannot be changed

Reported by Patrick Horn on 2009-04-04
278
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Confirmed
Medium
Wine
Fix Released
Wishlist
firefox-3.0 (Ubuntu)
Medium
Unassigned
firefox-3.5 (Ubuntu)
Medium
Unassigned
wine (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: firefox-3.0

Distro: Ubuntu 8.10
Uname -a: Linux rand 2.6.28-8-generic #28-Ubuntu SMP Fri Mar 6 00:09:20 UTC 2009 x86_64 GNU/Linux

apt-cache policy firefox-3.0
firefox-3.0:
  Installed: 3.0.8+nobinonly-0ubuntu0.8.10.2
  Candidate: 3.0.8+nobinonly-0ubuntu0.8.10.2
  Version table:
 *** 3.0.8+nobinonly-0ubuntu0.8.10.2 0
        500 http://mirror.anl.gov intrepid-updates/main Packages
        500 http://security.ubuntu.com intrepid-security/main Packages
        100 /var/lib/dpkg/status
     3.0.3+nobinonly-0ubuntu2 0
        500 http://mirror.anl.gov intrepid/main Packages

I have accidentally found my way to a web site which has been hacked. Upon exiting the page, a hijacked onunload handler brings me to another site which immediately attempts to download a .EXE file for windows.

Anyone who says that EXE programs are not dangerous on Linux is simply wrong. Wine by default comes with a link dosdevices/z: -> /
What this means is that any windows program can read/write to all files that I have read/write access to. For example, imagine a simple trojan that adds malicious code to all .EXE files on the disk. While this may not be an immedate problem, the next time I boot to my windows partition, my computer will be owned! Or, a virus could just inconspicuously delete or truncate all "unimportant" files (images, documents) on my computer -- And from what I have heard, there are recent malicious programs floating around the internet that do this.

In addition, Wine executables that are designed with Linux in mind (not that much of a stretch), could launch arbitrary code, even in the form of a ELF binary if necessary, followed by installing a keylogger or pretty much anything even if it wasn't possible using windows-only code.

While I am understanding of the chain of events leading to the EXE download (there is nothing Firefox can do about me going to a malicious website), there are a number of problems (I have attached a screenshot so you can see what I mean):

1) The Dialog box marks "Open with wine" as default,

2) It does not have a countdown timer! So any page that asks you to fill in a text box and hit enter, could cause you to run an arbitrary .EXE using wine by initiating the download at exactly the right time.

3) The "Use this as default" box is greyed out, so I am not only unable to remove wine as my default, but I cannot tell it to always save these files to disk, or *something* that does not involve immediately compromising my user account.

All of these together mean not only that I am vulnerable to accidentally clicking the wrong button when trying to cancel out of this malicious webpage, but that I am unable to prevent this from happening in the future. I believe this is a critical bug for anybody who has both Firefox and Wine installed on the same system, as it leads to arbitrary code execution under circumstances that are not too much of a stretch.

(For anybody interested in the specific website, the URL that I was referred to on the "onunload" handler in the hijacked page shows up in the download window screenshot--I don't want to paste it here.)

I don't know what the right solution is here, but I would personally like to see some serious review go into the default MIME types and helper applications. This is the reason that I am reporting the bug here rather than upstream. Mozilla Firefox has no control over the defaults that the Distro provides, and the simplest solution for now is to change the default mime handlers so that you don't end up with "open with wine" as a default anywhere.

Also, while this isn't productive to this specific discussion and I am merely preaching to the choir, I would like a GUI that allows normal users to see the *full* list of file extensions and their associated programs, so that you can make conscious decisions about file types rather than only relying on defaults. I'm talking about Edit->Preferences->Applications, but instead of only a select few of them, a list that shows *all* application handlers on the system, and allows adding/removing entries, kind of like the "Folder Options" screen that Windows has (though I'm not saying to copy their overly complicated registry).

If not this, I would at least like to see a "Change the default" option that isn't sometimes mysteriously greyed out. Again, it isn't Ubuntu's place to add such a feature, so this might be worth reporting to upstream.

I guess that's not the job of Firefox. Wine should let check if it's a virus..

You can also choose with which application the exe will be opened.

Firefox can not protect a user from himself.
How should know if you are downloading a virus or not ?

That is not our problem is the user decides to run random .exe files with Wine.

I think what the reporter asks for is to make a similar behaviour for .exe files on linux like we currently have on windows for .exe files, e.g. only allow to download.

Was that understood? Personally, I think is somewhat a valid request; though not really a severe one for now.

reopening.

for now moving to downloadmanager where we could handle this.

I would argue this is a GNOME bug - we should have a generic warning interception dialog for when you try to execute unsandboxed code downloaded from the Internet. IIRC there was some sort of attempt at this somewhere (nautilus?). Needs investigation.

Patrick Horn (phrh) wrote :
Download full text (4.3 KiB)

Binary package hint: firefox-3.0

Distro: Ubuntu 8.10
Uname -a: Linux rand 2.6.28-8-generic #28-Ubuntu SMP Fri Mar 6 00:09:20 UTC 2009 x86_64 GNU/Linux

apt-cache policy firefox-3.0
firefox-3.0:
  Installed: 3.0.8+nobinonly-0ubuntu0.8.10.2
  Candidate: 3.0.8+nobinonly-0ubuntu0.8.10.2
  Version table:
 *** 3.0.8+nobinonly-0ubuntu0.8.10.2 0
        500 http://mirror.anl.gov intrepid-updates/main Packages
        500 http://security.ubuntu.com intrepid-security/main Packages
        100 /var/lib/dpkg/status
     3.0.3+nobinonly-0ubuntu2 0
        500 http://mirror.anl.gov intrepid/main Packages

I have accidentally found my way to a web site which has been hacked. Upon exiting the page, a hijacked onunload handler brings me to another site which immediately attempts to download a .EXE file for windows.

Anyone who says that EXE programs are not dangerous on Linux is simply wrong. Wine by default comes with a link dosdevices/z: -> /
What this means is that any windows program can read/write to all files that I have read/write access to. For example, imagine a simple trojan that adds malicious code to all .EXE files on the disk. While this may not be an immedate problem, the next time I boot to my windows partition, my computer will be owned! Or, a virus could just inconspicuously delete or truncate all "unimportant" files (images, documents) on my computer -- And from what I have heard, there are recent malicious programs floating around the internet that do this.

In addition, Wine executables that are designed with Linux in mind (not that much of a stretch), could launch arbitrary code, even in the form of a ELF binary if necessary, followed by installing a keylogger or pretty much anything even if it wasn't possible using windows-only code.

While I am understanding of the chain of events leading to the EXE download (there is nothing Firefox can do about me going to a malicious website), there are a number of problems (I have attached a screenshot so you can see what I mean):

1) The Dialog box marks "Open with wine" as default,

2) It does not have a countdown timer! So any page that asks you to fill in a text box and hit enter, could cause you to run an arbitrary .EXE using wine by initiating the download at exactly the right time.

3) The "Use this as default" box is greyed out, so I am not only unable to remove wine as my default, but I cannot tell it to always save these files to disk, or *something* that does not involve immediately compromising my user account.

All of these together mean not only that I am vulnerable to accidentally clicking the wrong button when trying to cancel out of this malicious webpage, but that I am unable to prevent this from happening in the future. I believe this is a critical bug for anybody who has both Firefox and Wine installed on the same system, as it leads to arbitrary code execution under circumstances that are not too much of a stretch.

(For anybody interested in the specific website, the URL that I was referred to on the "onunload" handler in the hijacked page shows up in the download window screenshot--I don't want to paste it here.)

I don't know what the right solution is here, but I would ...

Read more...

Patrick Horn (phrh) wrote :
Patrick Horn (phrh) wrote :

Just a note: The screenshot shows a greyed out OK button. It just looks that way because of the theme and the fact that the window is not focused. Upon clicking on the window the button is clickable.

Also, the site in question pops up a bunch of annoying alert boxes, so it is possible that an unsuspecting user with a fast keyboard repeat rate who hits the enter key to close them can may be able to launch the executable by mistake (the only indication may be that the Download Manager will open up). I have not tried it since I don't want to compromise my machine, and I do suspect the mozilla devs have already thought of this scenario--maybe by detecting if the key is already held down. But if not, this is yet another way that a user could be tricked into clicking OK.

visibility: private → public
Changed in firefox-3.0 (Ubuntu):
status: New → Confirmed
Vadim Peretokin (vperetokin) wrote :

Agreeing with the ability to change running .exe's default, but there is nothing smart you can do about the rest. Annoying 'are you sure you want to run this?' dialogs are doubtly effective - if you want protection, install an anti-virus.

Changed in wine (Ubuntu):
status: New → Confirmed
Steve Dodier-Lazaro (sidi) wrote :

You can try to see with upstream wine in order to get tools to create "sandbox" wineprefixes, but there isn't much more they can do. Wine is KNOWN to be a security breach, by the way.

Kees Cook (kees) on 2009-04-16
Changed in wine (Ubuntu):
importance: Undecided → Medium
Changed in firefox-3.0 (Ubuntu):
importance: Undecided → Medium
Scott Ritchie (scottritchie) wrote :

Why don't we just do what Windows Firefox does when you download an executable there?

Created an attachment (id=20846)
Reduce .desktop file to application/x-msdos-executable and application/x-msi

Our desktop file is too greedy. I think I wrote it a while back off a list of every possible mime type a .exe file can have from somewhere on the internet; this resulted in entries like x-zip-compressed and x-executable. This results in the side effect that Wine now tries to open shell scripts and zip files on many systems.

On modern systems we can rely on shared-mime-info to correctly identify executables as application/x-msdos-executable, so we only need that MIME type for .exe.

So, I suggest we reduce our .desktop file to two mime types: application/x-msdos-executable and application/x-msi. The attached patch fixes this.

This still leaves the possibility of not opening .com, .bat, or similar files, however that's already broken and is a bug in shared-mime-info to be fixed there. Moreover, there's a slight chance of the reverse possibility - a .exe file that isn't a Wine executable file. I don't think that's our bug either though - again a problem in shared-mime-info.

Scott Ritchie (scottritchie) wrote :

Part of the problem is the default MIME typing Wine takes (see upstream bug), however this does not cover the case of executables and .msi files, which Wine should be opening.

Changed in wine:
status: Unknown → Confirmed

Colin, how is this a gnome bug? All the app handling and mime code is kind of redone on mozilla side atm. At some point we might have the system application chooser for gnome integrated in firefox; at that point it would probably become a gnome bug, but not for now.

Technically, there shouldnt be much wizardry required here, except to hard code that .exe files are always unsafe - even on linux. See: https://bugs.edge.launchpad.net/ubuntu/+source/firefox-3.0/+bug/309214/comments/11

What I'm saying is that if GNOME provided some facility for applications to check whether a file was downloaded from the internet, and pop up a warning dialog, it could be reused not only in Firefox but also in say Empathy/Pidgin file transfers.

I know Firefox does application handling manually now, but there's not a reason that can't be changed.

Changed in wine:
status: Confirmed → Fix Released

Closing bugs fixed in 1.1.21.

*** Bug 492456 has been marked as a duplicate of this bug. ***

Changed in wine (Ubuntu):
status: Confirmed → Fix Committed
Changed in firefox:
status: Unknown → Invalid
Changed in firefox:
status: Invalid → Unknown
Changed in firefox:
status: Unknown → Confirmed
Micah Gersten (micahg) wrote :

Added Firefox 3.5 for tracking as 3.0 will be EOL soon.

Changed in firefox-3.5 (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Changed in firefox-3.0 (Ubuntu):
status: Confirmed → Triaged
Changed in wine:
importance: Unknown → Wishlist
Changed in firefox:
importance: Unknown → Medium
Scott Ritchie (scottritchie) wrote :

was fixed in Wine long ago

Changed in wine (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.