[Bug 13329] New: Hiding filename/extention for .desktop files with execute permission.

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 13329] New: Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

            Bug ID: 13329
           Summary: Hiding filename/extention for .desktop files with
                    execute permission.
    Classification: Xfce
           Product: Thunar
           Version: 1.6.10
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: Medium
         Component: desktop
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]
                CC: [hidden email], [hidden email]
  Target Milestone: 1.8.0

Created attachment 6980
  --> https://bugzilla.xfce.org/attachment.cgi?id=6980&action=edit
Screenshot of malicious .desktop file displayed in Thunar

Hiding the filename/extention may be used to trick users to execute arbitrary
code.

How to reproduce:

1. Create a file called malware.desktop

2. Add the following content to it:

[Desktop Entry]
Name=CV.pdf
Exec=sh -c 'touch ./MALWARE_WAS_HERE'
Terminal=false
Icon=x-office-document
Type=Application
Categories=Office

3. Make it executable

Thunar displays the file like that: (see attachment)

Once the user opens the file the Exec entry is executed without any
confirmation. By hiding the filename and therefore also the filename extension
users can easily be tricked to execute arbitrary code when some ships files
like that in an archive which preserves execute permissions.

How to fix it:

Maybe by don't hiding the filename for .desktop files at all.


/u/wander_homer brought it up
https://www.reddit.com/r/linux/comments/5r6va0/how_to_easily_trick_file_manager_users_to_execute/

For reference, this bug also applies to other file managers:
https://github.com/lxde/pcmanfm-qt/issues/449
https://github.com/mate-desktop/caja/issues/727
https://github.com/linuxmint/nemo/issues/1404

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

Mathias Svanbäck <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|                            |https://www.reddit.com/r/li
                   |                            |nux/comments/5r6va0/how_to_
                   |                            |easily_trick_file_manager_u
                   |                            |sers_to_execute/

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

Mathias Svanbäck <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #1 from Mathias Svanbäck <[hidden email]> ---
Created attachment 6981
  --> https://bugzilla.xfce.org/attachment.cgi?id=6981&action=edit
Could maybe append the .desktop extention to the display_name while in the
filebrowser.

Just to indicate the filetype to the user of what kind of extention it actually
is.

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

Mathias Svanbäck <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #6981|Could maybe append the      |Could maybe append the
        description|.desktop extention to the   |.desktop extention to the
                   |display_name while in the   |display_name while in the
                   |filebrowser.                |filebrowser.
                   |                            |
                   |                            |branch on
                   |                            |github
                   |                            |https://github.com/MatteO-M
                   |                            |atic/thunar/tree/Matte_Show
                   |                            |DesktopExtention_20170201_0
                   |                            |70840

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

Mathias Svanbäck <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #6981|Could maybe append the      |Could maybe append the
        description|.desktop extention to the   |.desktop extention to the
                   |display_name while in the   |display_name while in the
                   |filebrowser.               |filebrowser.
                   |                           |
                   |branch on                   |
                   |github                      |
                   |https://github.com/MatteO-M |
                   |atic/thunar/tree/Matte_Show |
                   |DesktopExtention_20170201_0 |
                   |70840                       |

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

--- Comment #2 from Mathias Svanbäck <[hidden email]> ---
Hosting the suggested patch on my github

https://github.com/MatteO-Matic/thunar/tree/Matte_ShowDesktopExtention_20170201_070840

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 13329] Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugzilla.xfce.org/show_bug.cgi?id=13329

Skunnyk <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email],
                   |                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Xfce-bugs mailing list
[hidden email]
https://mail.xfce.org/mailman/listinfo/xfce-bugs
Loading...