Bug#516008: possible arbitrary code execution from .desktop files in email attachments
Package: kdebase-bin
Version: 4:3.5.9.dfsg.1-6
Severity: grave
hello,
as pointed out in http://www.geekzone.co.nz/foobar/6229 , at the moment KDE
and gnome desktop allow to execute code by reading and interpreting
a so called .desktop files which are launchers files without them being
executable.
This "feature" gives a malicious user the ability to make you download
and execute malicious code without being aware .
Scenario :
Attacker Alice knows that Bob runs kde so she sends to him an email with an
attachment as the one included here .
The attachment is by default saved in a default location which for many users
is ~/Desktop .
Later Bob looks on the Desktop but it doesn't found any README file, instead
it founds a strange file with an appealing name, it double clicks it but instead
of launching the expected application the program execute a small script that
download install and execute malicious code on the box.
Problem:
Bob has been framed because he executed a program without being aware
of it.
Solution:
Change .desktop file to execute the command inside only if they have
+x bit or - better - change those launcher files so that the first line would be
#!/usr/bin/desktop-launch, with the rest of the script following afterwards.
With the execute bit set this would become merely a normal script, which is
interpreted by the specified separate 'shell' or utility, rather than something
integrated into the desktop
This issue has already been reported to freedesktop since 2006 but it has never
been solved; while i know it's not a problem specific to debian only it is
something indeed that affects debian too and you should be aware.
In attachment one of those launchers file which, when double clicked will execute
two konquerors.
Regards
Samuele
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (600, 'unstable'), (550, 'testing'), (500, 'oldstable'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.27.1 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash
Versions of packages kdebase-bin depends on:
ii kdebase-runtime-bin-kd 4:4.1.0-2 core binaries for the KDE 4 base r
ii kdelibs4c2a 4:3.5.10.dfsg.1-1 core libraries and binaries for al
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libgcc1 1:4.3.3-4 GCC support library
ii libpam-runtime 1.0.1-5 Runtime support for the PAM librar
ii libpam0g 1.0.1-5 Pluggable Authentication Modules l
ii libqt3-mt 3:3.3.8b-5+b1 Qt GUI Library (Threaded runtime v
ii libstdc++6 4.3.3-4 The GNU Standard C++ Library v3
ii libx11-6 2:1.1.5-2 X11 client-side library
ii libxcursor1 1:1.1.9-1 X cursor management library
ii libxkbfile1 1:1.0.5-1 X11 keyboard file manipulation lib
ii libxtst6 2:1.0.3-1 X11 Testing -- Resource extension
kdebase-bin recommends no packages.
Versions of packages kdebase-bin suggests:
ii gdb 6.8-3 The GNU Debugger
ii khelpcente 4:4.0.0.really.3.5.9.dfsg.1-6 help center for KDE
-- no debconf information
--
While various networks have become deeply rooted, and thoughts have been
sent out as light and electrons in a singular direction, this era has
yet to digitize/computerize to the degree necessary for individuals to
become a singular complex entity.
KOUKAKU KIDOUTAI Stand Alone Complex
[Desktop Entry]
Type=Application
Name=Naked Chicks 2009.ppt
Exec=konqueror; konqueror
Icon=/usr/share/icons/hicolor/48x48/apps/ooo-writer.png
Reply to: