[Xfce-bugs] [Bug 13329] New: Hiding filename/extention for .desktop files with execute permission.
bugzilla-daemon at xfce.org
bugzilla-daemon at xfce.org
Thu Feb 2 19:21:26 CET 2017
https://bugzilla.xfce.org/show_bug.cgi?id=13329
Bug ID: 13329
Summary: Hiding filename/extention for .desktop files with
execute permission.
Classification: Xfce
Product: Thunar
Version: 1.6.10
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: Medium
Component: desktop
Assignee: xfce-bugs at xfce.org
Reporter: matteomatic at outlook.com
QA Contact: nick at xfce.org
CC: benny at xfce.org, hjudt at xfce.org
Target Milestone: 1.8.0
Created attachment 6980
--> https://bugzilla.xfce.org/attachment.cgi?id=6980&action=edit
Screenshot of malicious .desktop file displayed in Thunar
Hiding the filename/extention may be used to trick users to execute arbitrary
code.
How to reproduce:
1. Create a file called malware.desktop
2. Add the following content to it:
[Desktop Entry]
Name=CV.pdf
Exec=sh -c 'touch ./MALWARE_WAS_HERE'
Terminal=false
Icon=x-office-document
Type=Application
Categories=Office
3. Make it executable
Thunar displays the file like that: (see attachment)
Once the user opens the file the Exec entry is executed without any
confirmation. By hiding the filename and therefore also the filename extension
users can easily be tricked to execute arbitrary code when some ships files
like that in an archive which preserves execute permissions.
How to fix it:
Maybe by don't hiding the filename for .desktop files at all.
/u/wander_homer brought it up
https://www.reddit.com/r/linux/comments/5r6va0/how_to_easily_trick_file_manager_users_to_execute/
For reference, this bug also applies to other file managers:
https://github.com/lxde/pcmanfm-qt/issues/449
https://github.com/mate-desktop/caja/issues/727
https://github.com/linuxmint/nemo/issues/1404
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Xfce-bugs
mailing list