Shell Injection when changing Colors of a folder

[TheRegRunner]

Demo Exploit

1. start firefox

2. rename a folder with nemo to this folder name

";killall firefox;#

3. Now change the COLOR of the folder with nemo to some other color

4. Firefox will be killed for a prove of concept.

---

Reason is line 159 in nemo-folder-color-switcher.py

       # Touch the directory to make Nemo re-render its icons
        os.system("touch \"%s\"" % path)

The shell command in the folder path will be injected with os.system()

Please use subprocess, not os.system()
Thanks

[TheRegRunner]

Same Problem with filenames when you change the emblem with nemo

Line 132 in nemo-emblems.py

os.system("touch "%s"" % self.filename) # touch the file (to force Nemo to re-render its icon)

[TheRegRunner]

Exploit Demo Video (german)

https://youtu.be/E6IOHFeo9bE

[bitboy85]

Instead of spawning an external process i prefer using a build-in python function
Change: os.system("touch "%s"" % path)
To: os.utime(path, None)

Both act the same. touch will update the timestamp of last access, same does os.utime(None = Current time)

[TheRegRunner]

Don't forget to fix Line 132 in nemo-emblems.py
Thank you