Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Nov 2017 07:12:21 -0500
From: Robert Watson <robertcwatson1@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: [CVE-2017-14604] .desktop vulnerability again

On Thu, Oct 5, 2017 at 4:37 PM, Yves-Alexis Perez <corsac@...ian.org> wrote:
> Last time we had a vulnerability related to the handling of .desktop file, it
> was handled by refusing to run it unless it has the executable bit.
> Unfortunately, this permission bit is maintained when storing inside a
> tarball, for example, so if an attacker wraps an executable .desktop file
> posing (for example) as a PDF inside a tarball, a victim could extract the
> file and double click on the PDF and the system will happily execute the
> command inside the Exec= field of the .desktop file.

Why then can't I find any PDF files on my system with an executable bit set?

Wouldn't it be common for PDFs to be executable in order for this
exploit to work?

Why would a PDF, which is a specially formatted data file, be made executable?

I fear there may be one or more misunderstandings at play here of how
Unix/Linux works.

Some Experiments...

(0)  The Setup

[root@...3:/] ls -l /usr/share/applications/minimal.desktop
-rw-r--r-- 1 root root 28 2017-11-09 05:02
/usr/share/applications/minimal.desktop

[root@...3:/] cat /usr/share/applications/minimal.desktop
[Desktop Entry]
Exec=cat $0

(1)  Is .desktop file executed when all is normal?

[root@...3:/] /usr/share/applications/minimal.desktop
bash: /usr/share/applications/minimal.desktop: Permission denied

[root@...3:/] bash -c /usr/share/applications/minimal.desktop
bash: /usr/share/applications/minimal.desktop: Permission denied

(2)  Is .desktop file executable when made executable?

[root@...3:/] chmod 744 /usr/share/applications/minimal.desktop

[root@...3:/] ls -l /usr/share/applications/minimal.desktop
-rwxr--r-- 1 root root 28 2017-11-09 05:02
/usr/share/applications/minimal.desktop

[root@...3:/] /usr/share/applications/minimal.desktop
/usr/share/applications/minimal.desktop: line 1: [Desktop: command not found
/usr/share/applications/minimal.desktop: line 1: [Desktop: command not found
    (endless loop. Ctrl-C to abort)

[root@...3:/] bash -c '/usr/share/applications/minimal.desktop'
/usr/share/applications/minimal.desktop: line 1: [Desktop: command not found
/usr/share/applications/minimal.desktop: line 1: [Desktop: command not found
    (endless loop. Ctrl-C to abort)

(3) Is .desktop file executable by another user?

[root@...3:/] grep 'chromium' /etc/passwd
chromium:x:1005:1005:Software - chromium:/home/Chromium27:/bin/bash

[root@...3:/] su chromium -c '/usr/share/applications/minimal.desktop'
bash: /usr/share/applications/minimal.desktop: Permission denied

[root@...3:/] su - chromium -c '/usr/share/applications/minimal.desktop'
-bash: /usr/share/applications/minimal.desktop: Permission denied

CONCLUSIONS

(1)  File (and directory) ownership and permissions control what can
be executed. Not whether the command appears in a file or script
somewhere.

(2)  Appropriate settings of the standard ownership and permissions in
/etc/passwd and on the .desktop file seem to be working to prevent
unauthorized execution.

(3)  If an unexpected user IS able to execute the command, then the
system is misconfigured (a VERY common situation).

(4)  If misconfigured (incorrect ownership/permissions somewhere),
thinking a user shouldn't be able to do something because there is no
explicit path to doing it is a misunderstanding of how Unix/Linux
works.

(5)  The text following "Exec=" in a .desktop file is "exec'd". That
is, it replaces whatever program is processing the .desktop file. Then
the OUTPUT of the exec'd command is executed. That's not what I
expected. I expected the 'cat' command to display the contents of the
desktop file... not try to execute it recursively. Is that a bug or
just my misunderstanding of something?

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ