[Xfce-bugs] [Bug 13329] New: Hiding filename/extention for .desktop files with execute permission.

bugzilla-daemon at xfce.org bugzilla-daemon at xfce.org
Thu Feb 2 19:21:26 CET 2017


            Bug ID: 13329
           Summary: Hiding filename/extention for .desktop files with
                    execute permission.
    Classification: Xfce
           Product: Thunar
           Version: 1.6.10
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: Medium
         Component: desktop
          Assignee: xfce-bugs at xfce.org
          Reporter: matteomatic at outlook.com
        QA Contact: nick at xfce.org
                CC: benny at xfce.org, hjudt at xfce.org
  Target Milestone: 1.8.0

Created attachment 6980
  --> https://bugzilla.xfce.org/attachment.cgi?id=6980&action=edit
Screenshot of malicious .desktop file displayed in Thunar

Hiding the filename/extention may be used to trick users to execute arbitrary

How to reproduce:

1. Create a file called malware.desktop 

2. Add the following content to it:

[Desktop Entry]
Exec=sh -c 'touch ./MALWARE_WAS_HERE'

3. Make it executable

Thunar displays the file like that: (see attachment)

Once the user opens the file the Exec entry is executed without any
confirmation. By hiding the filename and therefore also the filename extension
users can easily be tricked to execute arbitrary code when some ships files
like that in an archive which preserves execute permissions.

How to fix it:

Maybe by don't hiding the filename for .desktop files at all.

/u/wander_homer brought it up

For reference, this bug also applies to other file managers:

You are receiving this mail because:
You are the assignee for the bug.

More information about the Xfce-bugs mailing list