Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Caja hides filename for .desktop files with execute permission #727

Open
cboxdoerfer opened this issue Jan 31, 2017 · 7 comments

Comments

Projects
None yet
6 participants
@cboxdoerfer
Copy link

commented Jan 31, 2017

How to reproduce:

  1. Create a file called malware.desktop

  2. Add the following content to it:

[Desktop Entry]
Name=CV.pdf
Exec=sh -c 'touch ~/MALWARE_WAS_HERE'
Terminal=false
Icon=x-office-document
Type=Application
Categories=Office
  1. Make it executable

Caja displays the file like that:

Screenshot

Once the user opens the file the Exec entry is executed without any confirmation. By hiding the filename and therefore also the filename extension users can easily be tricked to execute arbitrary code when someone ships files like that in an archive which preserves execute permissions.

How to fix it:

Maybe by don't hiding the filename for .desktop files at all.

For reference, this bug also applies to other file managers:
lxqt/pcmanfm-qt#449
linuxmint/nemo#1404
https://bugzilla.gnome.org/show_bug.cgi?id=777991

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/41517182-caja-hides-filename-for-desktop-files-with-execute-permission?utm_campaign=plugin&utm_content=tracker%2F651521&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F651521&utm_medium=issues&utm_source=github).
@lukefromdc

This comment has been minimized.

Copy link
Member

commented Jan 31, 2017

@stavpup

This comment has been minimized.

Copy link

commented Jan 31, 2017

that was for testing purposes only...

@lukefromdc

This comment has been minimized.

Copy link
Member

commented Jan 31, 2017

Obviously the test file used such a name, that is part of a good proof of concept and a warning. The point I was trying to make is that showing the filename contributes little to security if the attack binary and its launcher are given names people expect. Worst case would be a app that actually does something useful but bundled with malware fired up from the same launcher or even linked into the same binary.

Second worst is pure malware named for such an app, the user finding that say, a Twitter or Dropbox app (just as an example) appears not to work when it actually launches the malware. That would probably prevent it from being manually started on subsequent boots and might prompt the user to get rid of it.

Real worst case is a systemd or autostart job and no desktop or menu launcher at all, as this survives reboots and is hidden from anyone who does not keep an eye on those directories.

@C0rn3j

This comment has been minimized.

Copy link

commented Jan 31, 2017

As it stands Caja hides the extension AND does not ask before executing code.

Confirmation before executing is a must imo if the extension stays hidden.

@lukefromdc

This comment has been minimized.

Copy link
Member

commented Jan 31, 2017

It used to treat at least some new launchers as untrusted until the user marked them otherwise

@joopbraak

This comment has been minimized.

Copy link

commented Feb 24, 2017

@lukefromdc
You obviously don't have a clue what you're talking about (or at least what this bug is about), so could you please refrain from commenting any more, so people can concentrate on fixing this bug?
Thank you.

@raveit65

This comment has been minimized.

Copy link
Member

commented Feb 24, 2017

thx for this....unsubscribe....

@mate-desktop mate-desktop locked and limited conversation to collaborators Feb 25, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.