Control characters alter filename appearance

Bug #197804 reported by Amaroq on 2008-03-02
254
Affects Status Importance Assigned to Milestone
Nautilus
Confirmed
Medium
nautilus (Ubuntu)
Low
Ubuntu Desktop Bugs

Bug Description

After reading an article about how the LRO and RLO unicode characters could be used to produce deceptive filenames in Vista, me and a friend of mine tried this on Ubuntu to see if it would work there too.

I used the following command via terminal:

touch S[RLO]iva.exe

where [RLO] is the Right to Left Override character pasted into the terminal.
(Note that some terminals do not allow you to paste this character. At least my friend's didn't.)

ls'ing the directory shows something akin to S iva.exe. (The space would be the control character.)
Viewing the directory in nautilus shows the filename as "Sexe.avi".
Quite the tempting filename.

Indeed, everything GUI seems to render the effects of the control character. At least as far as viewing filename and saving files via Pidgin's file transfer and such. (The spoofed filename even remains intact in the field where the filename to save as is defaulted to the filename that the sender is sending.)

Double clicking would attempt to open it as an exe.

Obviously only remotely detrimental if you have Wine or something else that handles exe files. But still, the possibility for exploit using crafted filenames remains.

Something like [RLO]gpj.[LRO]ShellScript could easily be spoofed and would render as ShellScript.jpg.

Ubuntu 7.10.

Amaroq (coolsteve64) wrote :
Michael Nagel (nailor) wrote :

redirecting this to nautilus, perhaps someone will have a look at it...

Sebastien Bacher (seb128) wrote :

thank you for your bug report. could you try if that's still an issue in hardy or intrepid? the filename is displayed as having an incorrect encoding on my intrepid installation

Changed in nautilus:
assignee: nobody → desktop-bugs
importance: Undecided → Low
status: New → Incomplete
Samuel Lidén Borell (samuellb) wrote :

Yes, at least Hardy still displays deceptive filenames. I tried this on my Intrepid installation which unfortunately was a few days old (it later broke when I updated it, I'll have to investigate that before I can test on a newer version), and it had the same issue.

Sebastien Bacher (seb128) wrote :

wgetting the bug example doesn't give a broken example, could you describe how to type this special character?

Samuel Lidén Borell (samuellb) wrote :

I wrote this text in gedit:

test [RLO]gepj.exe

where [RLO] is selected from the right-click menu. Then I created a new empty text file in Nautilus and pasted in the filename from gedit.The filename displayed was "test exe.jpeg"

Sebastien Bacher (seb128) wrote :

typing "test [RLO]gepj.exe" makes the "test exe.jpeg" text being displayed, that seems to be the intended behaviour and not a bug

Amaroq (coolsteve64) wrote :

I downloaded the file I attached, S[RLO]iva.exe. Viewing it in both nautilus in a folder and directly on the desktop still renders the deceptive filename.

This is on a fresh , fully updated Hardy install.

Sebastien Bacher (seb128) wrote :

could anybody having the issue open a bug on bugzilla.gnome.org?

A. Walton (awalton) wrote :

This might be a tough one to fix. If I understand correctly, RLO and LRO are often used while internationalizing text. Nautilus normally doesn't do anything tricky when displaying names. We just pass them over to Pango to be rendered and display them. We could fix it on a per-locale basis, but we would still get it wrong for a lot of people (e.g. people who use one locale but have files with names from different locales).

Per the most common and worrisome case, when launching a script from Nautilus, we ask whether you want to edit it or launch it beforehand, which mostly defeats this attack. The only remaining vector then would be to use a specially crafted Desktop Entry file, which is a different bug altogether (Nautilus could be a lot more picky about launching these). I think the Wine+EXE case is even more specific and rare than the two mentioned above.

Anyways, feel free to forward it upstream and/or work on it if you like.

Amaroq (coolsteve64) wrote :

I've opened this as a bug on bugzilla.gnome.org.

I'm not quite sure how to mark it as a security vuln though...

http://bugzilla.gnome.org/show_bug.cgi?id=549882

Changed in nautilus:
status: Incomplete → Triaged
Changed in nautilus:
status: Unknown → Confirmed
Changed in nautilus:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.