[Bug 13329] New: Hiding filename/extention for .desktop files with execute permission.

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 13329] New: Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

            Bug ID: 13329
           Summary: Hiding filename/extention for .desktop files with
                    execute permission.
    Classification: Xfce
           Product: Thunar
           Version: 1.6.10
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: Medium
         Component: desktop
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]
                CC: [hidden email], [hidden email]
  Target Milestone: 1.8.0

Created attachment 6980
  --> https://bugzilla.xfce.org/attachment.cgi?id=6980&action=edit
Screenshot of malicious .desktop file displayed in Thunar

Hiding the filename/extention may be used to trick users to execute arbitrary
code.

How to reproduce:

1. Create a file called malware.desktop

2. Add the following content to it:

[Desktop Entry]
Name=CV.pdf
Exec=sh -c 'touch ./MALWARE_WAS_HERE'
Terminal=false
Icon=x-office-document
Type=Application
Categories=Office

3. Make it executable

Thunar displays the file like that: (see attachment)

Once the user opens the file the Exec entry is executed without any
confirmation. By hiding the filename and therefore also the filename extension
users can easily be tricked to execute arbitrary code when some ships files
like that in an archive which preserves execute permissions.

How to fix it:

Maybe by don't hiding the filename for .desktop files at all.


/u/wander_homer brought it up
https://www.reddit.com/r/linux/comments/5r6va0/how_to_easily_trick_file_manager_users_to_execute/

For reference, this bug also applies to other file managers:
https://github.com/lxde/pcmanfm-qt/issues/449
https://github.com/mate-desktop/caja/issues/727
https://github.com/linuxmint/nemo/issues/1404

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs
Reply | Threaded
Open this post in threaded view
|

[Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

Mathias Svanbäck <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|                            |https://www.reddit.com/r/li
                   |                            |nux/comments/5r6va0/how_to_
                   |                            |easily_trick_file_manager_u
                   |                            |sers_to_execute/

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs
Reply | Threaded
Open this post in threaded view
|

[Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

Mathias Svanbäck <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #1 from Mathias Svanbäck <[hidden email]> ---
Created attachment 6981
  --> https://bugzilla.xfce.org/attachment.cgi?id=6981&action=edit
Could maybe append the .desktop extention to the display_name while in the
filebrowser.

Just to indicate the filetype to the user of what kind of extention it actually
is.

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs
Reply | Threaded
Open this post in threaded view
|

[Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

Mathias Svanbäck <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #6981|Could maybe append the      |Could maybe append the
        description|.desktop extention to the   |.desktop extention to the
                   |display_name while in the   |display_name while in the
                   |filebrowser.                |filebrowser.
                   |                            |
                   |                            |branch on
                   |                            |github
                   |                            |https://github.com/MatteO-M
                   |                            |atic/thunar/tree/Matte_Show
                   |                            |DesktopExtention_20170201_0
                   |                            |70840

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs
Reply | Threaded
Open this post in threaded view
|

[Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

Mathias Svanbäck <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #6981|Could maybe append the      |Could maybe append the
        description|.desktop extention to the   |.desktop extention to the
                   |display_name while in the   |display_name while in the
                   |filebrowser.               |filebrowser.
                   |                           |
                   |branch on                   |
                   |github                      |
                   |https://github.com/MatteO-M |
                   |atic/thunar/tree/Matte_Show |
                   |DesktopExtention_20170201_0 |
                   |70840                       |

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs
Reply | Threaded
Open this post in threaded view
|

[Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

--- Comment #2 from Mathias Svanbäck <[hidden email]> ---
Hosting the suggested patch on my github

https://github.com/MatteO-Matic/thunar/tree/Matte_ShowDesktopExtention_20170201_070840

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs
Reply | Threaded
Open this post in threaded view
|

[Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

Skunnyk <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email],
                   |                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs
Reply | Threaded
Open this post in threaded view
|

[Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

Yves-Alexis Perez <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #3 from Yves-Alexis Perez <[hidden email]> ---
The same kind of issue has been assigned CVE-2017-14604 in Nautilus. See also

https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/ and
https://bugzilla.gnome.org/show_bug.cgi?id=777991
https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0

The executable bit protection can be somehow bypassed by for example shipping a
tarball which would be extracted by an user. For Nautilus it's even worse
because apparently if the .desktop file is called foo.desktop.pdf it'll be
displayed as a PDF icon but handled as a .desktop file.

Nautilus fixed it by storing the “executable” / “trusted” information in a
metadata, which is apparently a gio/gvfs stuff, stored on the filesystem in
XDG_DATA_DIR/gvfs-metadata (usually .local/share/gvfs-metadata), which is
supposingly not reachable when extracting a tarball (unless there's a directory
traversal vulnerability in the extraction process).

I'm not sure if something like that applies to Thunar, but it'd be nice to have
additional hardening.

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs