.desktop files provide simple infection vector for trojans

Bug #153438 reported by Alex Willmer on 2007-10-16
260
Affects Status Importance Assigned to Milestone
Nautilus
Fix Released
Wishlist
nautilus (Debian)
Fix Released
Unknown
nautilus (Ubuntu)
High
Ubuntu Desktop Bugs

Bug Description

Binary package hint: nautilus

An attacker may cause the user to run a .desktop file containing executable code, without that file having the executable attribute.

I demonstration exploits are available here:
http://robots.org.uk/fdo-desktop-entry-vulnerability/

If saved to the desktop, which may be the default for application/octet-stream this file appears as 'hot goats.jpg', with a photo icon. No indication is given that code will execute, should the file be opened.

Clicking the icon causes the embedded python code to display a window containing the message 'owned'. Embedded code could do anything which the user has privileges to perform.

This is an extremely short distance from download to execution of code and should be considered a serious vulnerability, akin to double extensions on MS Windows and execute attachments/downloads behavior.

This issue has been discussed previously on the xdg mailing list:
http://lists.freedesktop.org/archives/xdg/2006-April/006357.html

However I feel the default behavior of Nautilus warrants this bug report.

Related branches

Alex Willmer (alex-moreati) wrote :

This is still exploitable in Ubuntu 8.04, text of email I just sent to <email address hidden> follows:

I just tested this using Firefox 3 on Ubuntu 8.04 with Gnome 2.22.2.

trojan.desktop Displayed in Firefox as a plain text file

trojan-axd.desktop Asked to save or open the file:
      * If saved default location is desktop. Appears with jpeg icon and
        file name 'hot goats.jpg'. Double clicking causes the code to
        run (displays 'Owned' in a small window).
      * If open with chosen, following message is displayed "The
        application you chose ("(null)") could not be found. Check the
        file name or choose another application."

trojan-aos.desktop Treated as executable by Firefox may only save file
      * If Save file clicked, file is saved to Desktop, no choice.
      * Once saved it behaves like trojan-axd.desktop.

I now have multiple icons on my desktop, all apparently called 'hot
goats.jpg' (without quotes). All of them run the embedded python code.

alex@martha:~/Documents/primes$ ls /home/alex/Desktop/trojan*
/home/alex/Desktop/trojan-aos(2).desktop
/home/alex/Desktop/trojan-aos(3).desktop
/home/alex/Desktop/trojan-aos.desktop
/home/alex/Desktop/trojan-axd(2).desktop
/home/alex/Desktop/trojan-axd.desktop

Pedro Villavicencio (pedro) wrote :

thansk fr the report, this needs to be send to the upstream authors of nautilus at bugzilla.gnome.org since they writ the code, for forwarding instructions please have a look to https://wiki.ubuntu.com/Bugs/Upstream/GNOME; thanks.

Changed in nautilus:
assignee: nobody → desktop-bugs
importance: Undecided → Medium
Changed in nautilus:
importance: Medium → Low
status: New → Triaged
Changed in nautilus:
status: Unknown → New
Kees Cook (kees) on 2009-02-11
Changed in nautilus:
importance: Low → High
milestone: none → later
status: Triaged → Confirmed
Sebastien Bacher (seb128) wrote :

Laurent those changes were used but don't apply to the new gio codebase, they are not activated in debian experimental either

On Fri, 2009-02-13 at 09:10 +0000, Sebastien Bacher wrote:

> Laurent those changes were used but don't apply to the new gio codebase,

Too bad.

> they are not activated in debian experimental either

The Debian bug reports are archived, therefore I will report another one
and link it to this LP bug...

--
Laurent Bonnaud.
http://www.lis.inpg.fr/pages_perso/bonnaud/

otzenpunk (reisswolf-nospam) wrote :

Added Gnome bug #572203, because the other referenced Gnome bug is outdated.

Changed in nautilus:
status: New → Unknown
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nautilus - 1:2.25.92-0ubuntu1

---------------
nautilus (1:2.25.92-0ubuntu1) jaunty; urgency=low

  * New upstream version:
    - Set mmap limit to avoid desktop background memory not being returned to the os
    - Warn when source overwrites destination in move
    - Don't put "link to ..." in front of symlinks unless there are name conflicts
    - Fix desktop flicker on theme change (lp: #327974)
    - Require desktop file app launchers to be executable (lp: #153438)
    - Support making symlinks on remote locations

 -- Sebastien Bacher <email address hidden> Mon, 02 Mar 2009 18:33:40 +0100

Changed in nautilus:
status: Confirmed → Fix Released
Changed in nautilus:
status: Unknown → Fix Released
Changed in nautilus:
status: Unknown → New
Changed in nautilus:
importance: Unknown → Wishlist
Changed in nautilus (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.