Bug#515104: nautilus: potential exploits via application launchers

Josselin Mouette joss at debian.org
Sat Feb 14 10:28:25 UTC 2009


Le vendredi 13 février 2009 à 10:29 -0500, Michael S. Gilbert a écrit :
> as you have probably seen by now, there has been a lot of coverage
> about the potential avenue for exploits via kde and gnome application
> launchers (it looks like xfce is safe, for now) [1], [2], [3].
> 
> the core of the problem is that launchers have the ability to execute
> perl, python, etc scripts without the executable bit set.  this
> makes it much easier for an attacker to get the user to download and
> run potentially malicious code.

It’s not just about perl or python scripts, a .desktop file can execute
any command. We already have (unfortunately Debian-specific) patches to
deal with this, see #408948 and #408556.

Currently, .desktop files will be only launched if all these conditions
are met :
      * the file is on the local host,
      * it belongs to root or to the current user,
      * its name ends in “.desktop”,
      * it’s not in a removable drive.

To make this an email virus, you would have to send the file by e-mail,
make the user save it on the local disk (while the file looks suspicious
with its unknown type and extension), and make him browse to this
directory and double-click on it. The last part is easier, but the first
part sounds like expecting absolute stupidity. However I realize that
it’s much easier to use the web as an attack vector, especially with
epiphany which can download files automatically.

The idea of requiring the executable bit is very nice, but it would
require a real bunch of changes to ensure that .desktop files created by
the user or copied with DnD have their executable bit set. Maybe
disabling auto-download in epiphany for .desktop files is the way to go
instead.

Thoughts anyone?
-- 
 .''`.
: :' :      We are debian.org. Lower your prices, surrender your code.
`. `'       We will add your hardware and software distinctiveness to
  `-        our own. Resistance is futile.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20090214/530fc1ee/attachment.pgp 


More information about the pkg-gnome-maintainers mailing list