Linux file manager flaw leaves security "Bad Taste"
The vulnerability could execute malicious Windows scripts in Linux.
According to Nils Dagsson Moskopp, a security researcher that found the bug, the issue almost all GNOME Files-based file managers except for Caja, the latter being closely related to GNOME Files.
Dubbed Bad Taste, Moskopp developed a proof-of-concept to demonstrate the flaw. He created a blank file with the name badtaste.txt on a target system. He found that he could conceal VBScript inside names of MSI files. When a victim accesses a folder on their computer where a malicious MSI file is saved, GNOME Files automatically parse the file to extract an embedded icon from the file in question or deliver a fallback image for the appropriate file type.
The code injection flaw is found in "gnome-exe-thumbnailer" — this code generates thumbnails from Windows executable files (.exe/.msi/.dll/.lnk) for GNOME, which requires users to have Wine application installed on their systems to open it.
“Instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine. The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution,” he said in a blog post.
The vulnerability can be triggered by hackers using a variety of methods, such as inserting a USB drive with the malicious file store on it, or by delivery through a drive-by download.
Moskopp reported the issue to the GNOME Project and the Debian Project. Both organisations patched the flaw in the gnome-exe-thumbnailer file. The issue has also been tracked as CVE-2017-11421.
The flaw affects gnome-exe-thumbnailer prior to the 0.9.5 version. The security researcher advised users to delete all files in /usr/share/thumbnailers, not use GNOME files and uninstall any software that facilitates automatically execution of filenames as code.
Moskopp also said that developers should avoid using "bug-ridden ad-hoc parsers" to parse files, to "fully recognise inputs before processing them," and to use unparsers, instead of templates. Linux users should also update their systems as soon as possible via their update manager.