Bug#515104: nautilus: potential exploits via application launchers

Sam Morris sam at robots.org.uk
Sat Feb 14 12:09:33 UTC 2009 

On Sat, 14 Feb 2009 11:28:25 +0100, Josselin Mouette wrote:

> Le vendredi 13 février 2009 à 10:29 -0500, Michael S. Gilbert a écrit :
>> as you have probably seen by now, there has been a lot of coverage
>> about the potential avenue for exploits via kde and gnome application
>> launchers (it looks like xfce is safe, for now) [1], [2], [3].
>> 
>> the core of the problem is that launchers have the ability to execute
>> perl, python, etc scripts without the executable bit set.  this makes
>> it much easier for an attacker to get the user to download and run
>> potentially malicious code.
> 
> It’s not just about perl or python scripts, a .desktop file can execute
> any command. We already have (unfortunately Debian-specific) patches to
> deal with this, see #408948 and #408556.
> 
> Currently, .desktop files will be only launched if all these conditions
> are met :
>       * the file is on the local host,
>       * it belongs to root or to the current user, * its name ends in
>       “.desktop”,
>       * it’s not in a removable drive.
> 
> To make this an email virus, you would have to send the file by e-mail,
> make the user save it on the local disk (while the file looks suspicious
> with its unknown type and extension), and make him browse to this
> directory and double-click on it. The last part is easier, but the first
> part sounds like expecting absolute stupidity. However I realize that
> it’s much easier to use the web as an attack vector, especially with
> epiphany which can download files automatically.
> 
> The idea of requiring the executable bit is very nice, but it would
> require a real bunch of changes to ensure that .desktop files created by
> the user or copied with DnD have their executable bit set.

I really think this is the best way to go. It will require persuading & 
co-ordinating with upstream, and certainly can't be done overnight, but 
this is a very important and glaring security problem.

-- 
Sam Morris
https://robots.org.uk/
 
PGP key id 1024D/5EA01078
3412 EA18 1277 354B 991B  C869 B219 7FDB 5EA0 1078

More information about the pkg-gnome-maintainers mailing list