.desktop file extension on Linux should be rewritten to .desktop.download to avoid users running local executables _if_ desktop files are executed by the user's file manager.
Categories
(Firefox :: File Handling, defect, P3)
Tracking
()
People
(Reporter: ameenbasha111, Assigned: Gijs)
References
Details
(Keywords: reporter-external, sec-moderate, sec-vector, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main112+][adv-esr102.10+])
Attachments
(5 files)
Hi Team before starting this have a Look into the below issue description. in which it shows the shortcuts files are restricted and Changed to .download But the same for Linux are not prevented
https://bugs.chromium.org/p/chromium/issues/detail?id=1307930
https://bugs.chromium.org/p/chromium/issues/detail?id=1140417
.desktop is a Shortcut file in linux similar to .lnk in Windows which could have ability to invoke the executables
Tested in Latest Version of FireFox in Linux 5.7.0-kali1-amd64 (KERNEL)
REPRODUCTION CASE
- Open the below attached html File in Firefox on linux
- You can see the shortcut file is allowed and downloaded in linux without renaming
Impact: Lead to Executing Code
I have added a POC HTML The resultant download file will invoke Calc when it is trying to execute
| Comment hidden (obsolete) |
|
||
Comment 5•1 year ago
|
||
I can not reproduce it on Ubuntu 22.04.1 LTS.
Ameen, what happens when you download this .desktop file in Chromium?
Hi serg. it is similar to .lnk files in windows.
I have tested the same in Kali Linux and found vulnerable. On visiting the above html it will download a .desktop file. while trying to open it will invoke calc.
if this not opening calc in ubuntu. it might be due to the calc name was different in ubuntu. Kindly change accordingly in the above html
|
Assignee | |
Comment 7•1 year ago
|
||
(In reply to Ameen from comment #6)
Hi serg. it is similar to .lnk files in windows.
I have tested the same in Kali Linux and found vulnerable. On visiting the above html it will download a .desktop file. while trying to open it will invoke calc.
if this not opening calc in ubuntu. it might be due to the calc name was different in ubuntu. Kindly change accordingly in the above html
Ubuntu opens .desktop files in text editor by default, they don't launch the file the .desktop points at. See e.g. https://askubuntu.com/questions/1187934/cannot-launch-desktop-files-opens-with-text-editor-instead
You didn't answer the question about chromium... What do they do with this file?
Ubuntu opens .desktop files in text editor by default, they don't launch the file the .desktop points at.
Regarding this can you check on kali linux once?
You didn't answer the question about chromium... What do they do with this file?
Have reported to chromium regarding symlink extension in that i have mentioned the same but didn't get any much info from them
|
|
Assignee | |
Comment 9•1 year ago
|
||
(In reply to Ameen from comment #8)
Ubuntu opens .desktop files in text editor by default, they don't launch the file the .desktop points at.
Regarding this can you check on kali linux once?
You didn't answer the question about chromium... What do they do with this file?
Have reported to chromium regarding symlink extension in that i have mentioned the same but didn't get any much info from them
I didn't ask about the symlink file. Please just answer the question. What happens in chromium when you download the .desktop file?
|
Reporter | |
Comment 10•1 year ago
|
||
Have reported to chromium regarding symlink extension in that i have mentioned the same but didn't get any much info from them
in that i have mentioned the same but didn't get any much info from them
Have already responded for your query. Chrome is also having same issue and i clubbed and report the .symlink and .desktop to them but didn't get any update on this
Hope this clarify the points you needed.
|
|
Assignee | |
Comment 11•1 year ago
|
||
(In reply to Ameen from comment #10)
Have reported to chromium regarding symlink extension in that i have mentioned the same but didn't get any much info from them
in that i have mentioned the same but didn't get any much info from them
Have already responded for your query. Chrome is also having same issue and i clubbed and report the .symlink and .desktop to them but didn't get any update on this
Hope this clarify the points you needed.
Sorry, it wasn't clear to me that you also reported .desktop - your previous comment only referenced .symlink.
Can you please link to the chromium ticket? We try and coordinate so we don't 0-day each other and such. (it's fine if it's confidential at the moment, but then if we need to reach out we can at least share a link)
|
|
Reporter | |
Comment 12•1 year ago
|
||
Hi Gijs yes i can share some details about my issue in chromium. Currently my issue was marked as duplicate to some old ticket which is already fixed and not properly works.
From the Duplicate ticket i got the chromium fix link. i will share them hope it will give you some more clarity about this.
Fix Link: https://chromium.googlesource.com/chromium/src.git/+/b32471d5abb3b3a4fe56e1dd79871400b51a0cca
FYI: Regarding my issue in chrome i have asked my updates. if i got any ill update you the ticket id.
|
||
Comment 13•1 year ago
|
||
The severity field is not set for this bug.
:serg, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
||
Updated•1 year ago
|
|
|
Reporter | |
Comment 14•1 year ago
|
||
Hi guys its been 24 days since i raise this issue, can i get some progress update on this.
|
||
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
| Comment hidden (duplicate) |
|
||
Updated•1 year ago
|
| Comment hidden (duplicate) |
|
|
Assignee | |
Comment 17•1 year ago
|
||
Dan, this doesn't have a security rating. bug 1809923 was sec-moderate. I'd want to argue this should be sec-low given it's linux-only and doesn't affect major distributions by default (because of what happens when you open .desktop files using the default file manager), and there's no case where credentials are shared across a network automatically or similar like for .url/.lnk/.local. On the flip side, AFAICT (although this wasn't explicit in the original report), it runs local executables with attacker-supplied commandline args, if executed, which seems worse than running things already on the user's machine without arguments, so maybe that means it should be sec-moderate or otherwise. Can you make a decision? Thanks!
|
||
Comment 18•1 year ago
|
||
Agreed that Kali is not major, but other than Ubuntu mentioned above do we know that it doesn't affect other distributions? The linked Chrome bug mentions it affected Debian using both GNOME and KDE desktops (but that was 2019!). In any case, a small affected population influences our priority for fixing more than the severity of the symptoms. We do sometimes temper a sec-high, but we shouldn't drop this further to sec-low. Especially not with the ability to include arbitrary arguments.
|
|
||
Comment 19•1 year ago
|
||
Hi Gijs yes i can share some details about my issue in chromium.
Gijs asked for the link. If there's still a problem in Chrome (see below) we need to give them the reference so both sides know we're talking about the same thing. The old chrome bug does not appear to show the bug merged into it, at least not that an unprivileged account can see.
Currently my issue was marked as duplicate to some old ticket which is already fixed and not properly works.
I'm not sure what you mean by that last bit. The simplest interpretations is that since the Chrome team duped it to a fixed bug, it's a simple typo for "now": now Chrome properly works. But if it was fixed 3 years ago you wouldn't have seen something that caused you to report it again. That argues that you meant something like "already fixed, but not properly/it doesn't work properly".
|
|
Reporter | |
Comment 20•1 year ago
|
||
|
|
Reporter | |
Comment 21•1 year ago
|
||
https://bugs.chromium.org/p/chromium/issues/detail?id=1407119
these two are my reports in chrome.
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 22•1 year ago
|
||
|
|
Assignee | |
Comment 23•1 year ago
|
||
(In reply to Ameen from comment #1)
.symlink extension also allowed, which also need to be restricted.
Symlink is a implicit shortcut file. so this is also considered to be dangerous and should be fixed to avoid any issues in future
Do you have a PoC/demo of .symlink as a file extension causing any issues? I'm familiar with symbolic links, but they don't need to have a specific extension. IOW, what software treats .symlink as a meaningful extension?
|
|
Reporter | |
Comment 24•1 year ago
|
||
Hi Gijs, As a short form of symbolic link i have mentioned it has symlink. This doesn't work as i expected for an exploit.
Kindly ignore this case, sorry for confusion. it is good to go with desktop fix.
|
||
Comment 25•1 year ago
|
||
|
|
||
Comment 26•1 year ago
|
||
The patch landed in nightly and beta is affected.
:Gijs, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox112towontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 27•1 year ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D171405
|
||
Comment 28•1 year ago
|
||
Uplift Approval Request
- Needs manual QE test: yes
- Steps to reproduce for manual QE testing: See https://bugzilla.mozilla.org/show_bug.cgi?id=1810191#c0 - post-patch the .desktop file should be renamed when downloaded (suffixed with .download)
- User impact if declined: sec-moderate
- Fix verified in Nightly: no
- Explanation of risk level: Straightforward 2-line security fix.
- Risk associated with taking this patch: low
- String changes made/needed: Nope
- Is Android affected?: no
- Code covered by automated testing: no
|
|
Assignee | |
Comment 29•1 year ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D171405
|
|
||
Comment 30•1 year ago
|
||
Uplift Approval Request
- Fix verified in Nightly: no
- User impact if declined: sec-moderate
- Steps to reproduce for manual QE testing: See https://bugzilla.mozilla.org/show_bug.cgi?id=1810191#c0 - post-patch the .desktop file should be renamed when downloaded (suffixed with .download)
- Needs manual QE test: yes
- Code covered by automated testing: no
- Is Android affected?: no
- String changes made/needed: No
- Risk associated with taking this patch: low
- Explanation of risk level: Straightforward 2-line security fix.
|
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Comment 31•1 year ago
|
||
| uplift | ||
| Comment hidden (obsolete) |
|
|
||
Comment 33•1 year ago
|
||
| uplift | ||
|
||
Updated•1 year ago
|
|
||
Comment 34•1 year ago
|
||
I have reproduced this bug using an affected Nightly build (2023-01-13) with Ubuntu 18.04 x64.
The issue is verified on the fixed builds, latest Nightly 113.0a1, RC 112.0 and Esr 102.10 with Ubuntu 18.04 x64.
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 35•1 year ago
|
||
|
|
Reporter | |
Comment 36•1 year ago
|
||
Team Kindly Share CVE ID for this issue
|
|
||
Updated•1 year ago
|
|
|
||
Updated•8 months ago
|
|
||
Updated•19 days ago
|
Description
•