[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#516008: possible arbitrary code execution from .desktop files in email attachments

Package: kdebase-bin
Version: 4:3.5.9.dfsg.1-6
Severity: grave

hello,
as pointed out in  http://www.geekzone.co.nz/foobar/6229 , at the moment KDE
and gnome desktop allow to execute code by reading and interpreting 
a so called  .desktop files which are launchers files without them being
executable.

This "feature" gives a malicious user the ability to make you download
and execute malicious code without being aware .

Scenario :
Attacker Alice knows that Bob runs kde so she sends to him an email with an 
attachment as the one included here .
The attachment is by default saved in a default location which for many users
is ~/Desktop .

Later Bob looks on the Desktop but it doesn't found any README file, instead
it founds a strange file with an appealing name, it double clicks it but instead
of launching the expected application the program execute a small script that
download install and execute malicious code on the box.

Problem:
Bob has been framed because he executed a program without being aware
of it.

Solution: 

Change .desktop file to execute the command inside only if they have
+x bit or - better -  change those launcher files so that the first line would be
#!/usr/bin/desktop-launch, with the rest of the script following afterwards.
With the execute bit set this would become merely a normal script, which is
interpreted by the specified separate 'shell' or utility, rather than something
integrated into the desktop

This issue has already been reported to freedesktop since 2006 but it has never 
been solved; while i know it's not a problem specific to debian only it is
something indeed that affects debian too and you should be aware.

In attachment one of those launchers file which, when double clicked will execute
two konquerors.

Regards
Samuele
 


-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (600, 'unstable'), (550, 'testing'), (500, 'oldstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.27.1 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash

Versions of packages kdebase-bin depends on:
ii  kdebase-runtime-bin-kd 4:4.1.0-2         core binaries for the KDE 4 base r
ii  kdelibs4c2a            4:3.5.10.dfsg.1-1 core libraries and binaries for al
ii  libc6                  2.7-18            GNU C Library: Shared libraries
ii  libgcc1                1:4.3.3-4         GCC support library
ii  libpam-runtime         1.0.1-5           Runtime support for the PAM librar
ii  libpam0g               1.0.1-5           Pluggable Authentication Modules l
ii  libqt3-mt              3:3.3.8b-5+b1     Qt GUI Library (Threaded runtime v
ii  libstdc++6             4.3.3-4           The GNU Standard C++ Library v3
ii  libx11-6               2:1.1.5-2         X11 client-side library
ii  libxcursor1            1:1.1.9-1         X cursor management library
ii  libxkbfile1            1:1.0.5-1         X11 keyboard file manipulation lib
ii  libxtst6               2:1.0.3-1         X11 Testing -- Resource extension 

kdebase-bin recommends no packages.

Versions of packages kdebase-bin suggests:
ii  gdb        6.8-3                         The GNU Debugger
ii  khelpcente 4:4.0.0.really.3.5.9.dfsg.1-6 help center for KDE

-- no debconf information

-- 
While various networks have become deeply rooted, and thoughts have been 
sent out as light and electrons in a singular direction, this era has 
yet to digitize/computerize to the degree necessary for individuals to 
become a singular complex entity.
  KOUKAKU KIDOUTAI Stand Alone Complex

[Desktop Entry]
Type=Application
Name=Naked Chicks 2009.ppt
Exec=konqueror; konqueror
Icon=/usr/share/icons/hicolor/48x48/apps/ooo-writer.png
Reply to: