.desktop file extension on Linux should be rewritten to .desktop.download to avoid users running local executables _if_ desktop files are executed by the user's file manager.
Categories
(Firefox :: File Handling, defect, P3)
Tracking
()
People
(Reporter: ameenbasha111, Assigned: Gijs)
References
Details
(Keywords: reporter-external, sec-moderate, sec-vector, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main112+][adv-esr102.10+])
Attachments
(5 files)
Hi Team before starting this have a Look into the below issue description. in which it shows the shortcuts files are restricted and Changed to .download But the same for Linux are not prevented
https://bugs.chromium.org/p/chromium/issues/detail?id=1307930
https://bugs.chromium.org/p/chromium/issues/detail?id=1140417
.desktop is a Shortcut file in linux similar to .lnk in Windows which could have ability to invoke the executables
Tested in Latest Version of FireFox in Linux 5.7.0-kali1-amd64 (KERNEL)
REPRODUCTION CASE
- Open the below attached html File in Firefox on linux
- You can see the shortcut file is allowed and downloaded in linux without renaming
Impact: Lead to Executing Code
I have added a POC HTML The resultant download file will invoke Calc when it is trying to execute
| Comment hidden (obsolete) |
|
||
Comment 5•2 years ago
|
||
I can not reproduce it on Ubuntu 22.04.1 LTS.
Ameen, what happens when you download this .desktop file in Chromium?
Hi serg. it is similar to .lnk files in windows.
I have tested the same in Kali Linux and found vulnerable. On visiting the above html it will download a .desktop file. while trying to open it will invoke calc.
if this not opening calc in ubuntu. it might be due to the calc name was different in ubuntu. Kindly change accordingly in the above html
|
Assignee | |
Comment 7•2 years ago
|
||
(In reply to Ameen from comment #6)
Hi serg. it is similar to .lnk files in windows.
I have tested the same in Kali Linux and found vulnerable. On visiting the above html it will download a .desktop file. while trying to open it will invoke calc.
if this not opening calc in ubuntu. it might be due to the calc name was different in ubuntu. Kindly change accordingly in the above html
Ubuntu opens .desktop files in text editor by default, they don't launch the file the .desktop points at. See e.g. https://askubuntu.com/questions/1187934/cannot-launch-desktop-files-opens-with-text-editor-instead
You didn't answer the question about chromium... What do they do with this file?
Ubuntu opens .desktop files in text editor by default, they don't launch the file the .desktop points at.
Regarding this can you check on kali linux once?
You didn't answer the question about chromium... What do they do with this file?
Have reported to chromium regarding symlink extension in that i have mentioned the same but didn't get any much info from them
|
|
Assignee | |
Comment 9•2 years ago
|
||
(In reply to Ameen from comment #8)
Ubuntu opens .desktop files in text editor by default, they don't launch the file the .desktop points at.
Regarding this can you check on kali linux once?
You didn't answer the question about chromium... What do they do with this file?
Have reported to chromium regarding symlink extension in that i have mentioned the same but didn't get any much info from them
I didn't ask about the symlink file. Please just answer the question. What happens in chromium when you download the .desktop file?
|
Reporter | |
Comment 10•2 years ago
|
||
Have reported to chromium regarding symlink extension in that i have mentioned the same but didn't get any much info from them
in that i have mentioned the same but didn't get any much info from them
Have already responded for your query. Chrome is also having same issue and i clubbed and report the .symlink and .desktop to them but didn't get any update on this
Hope this clarify the points you needed.
|
|
Assignee | |
Comment 11•2 years ago
|
||
(In reply to Ameen from comment #10)
Have reported to chromium regarding symlink extension in that i have mentioned the same but didn't get any much info from them
in that i have mentioned the same but didn't get any much info from them
Have already responded for your query. Chrome is also having same issue and i clubbed and report the .symlink and .desktop to them but didn't get any update on this
Hope this clarify the points you needed.
Sorry, it wasn't clear to me that you also reported .desktop - your previous comment only referenced .symlink.
Can you please link to the chromium ticket? We try and coordinate so we don't 0-day each other and such. (it's fine if it's confidential at the moment, but then if we need to reach out we can at least share a link)
|
|
Reporter | |
Comment 12•2 years ago
|
||
Hi Gijs yes i can share some details about my issue in chromium. Currently my issue was marked as duplicate to some old ticket which is already fixed and not properly works.
From the Duplicate ticket i got the chromium fix link. i will share them hope it will give you some more clarity about this.
Fix Link: https://chromium.googlesource.com/chromium/src.git/+/b32471d5abb3b3a4fe56e1dd79871400b51a0cca
FYI: Regarding my issue in chrome i have asked my updates. if i got any ill update you the ticket id.
|
||
Comment 13•2 years ago
|
||
The severity field is not set for this bug.
:serg, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
||
Updated•2 years ago
|
|
|
Reporter | |
Comment 14•2 years ago
|
||
Hi guys its been 24 days since i raise this issue, can i get some progress update on this.
|
||
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
| Comment hidden (duplicate) |
|
||
Updated•2 years ago
|
| Comment hidden (duplicate) |
|
|
Assignee | |
Comment 17•2 years ago
|
||
Dan, this doesn't have a security rating. bug 1809923 was sec-moderate. I'd want to argue this should be sec-low given it's linux-only and doesn't affect major distributions by default (because of what happens when you open .desktop files using the default file manager), and there's no case where credentials are shared across a network automatically or similar like for .url/.lnk/.local. On the flip side, AFAICT (although this wasn't explicit in the original report), it runs local executables with attacker-supplied commandline args, if executed, which seems worse than running things already on the user's machine without arguments, so maybe that means it should be sec-moderate or otherwise. Can you make a decision? Thanks!
|
||
Comment 18•2 years ago
|
||
Agreed that Kali is not major, but other than Ubuntu mentioned above do we know that it doesn't affect other distributions? The linked Chrome bug mentions it affected Debian using both GNOME and KDE desktops (but that was 2019!). In any case, a small affected population influences our priority for fixing more than the severity of the symptoms. We do sometimes temper a sec-high, but we shouldn't drop this further to sec-low. Especially not with the ability to include arbitrary arguments.
|
|
||
Comment 19•2 years ago
|
||
Hi Gijs yes i can share some details about my issue in chromium.
Gijs asked for the link. If there's still a problem in Chrome (see below) we need to give them the reference so both sides know we're talking about the same thing. The old chrome bug does not appear to show the bug merged into it, at least not that an unprivileged account can see.
Currently my issue was marked as duplicate to some old ticket which is already fixed and not properly works.
I'm not sure what you mean by that last bit. The simplest interpretations is that since the Chrome team duped it to a fixed bug, it's a simple typo for "now": now Chrome properly works. But if it was fixed 3 years ago you wouldn't have seen something that caused you to report it again. That argues that you meant something like "already fixed, but not properly/it doesn't work properly".
|
|
Reporter | |
Comment 20•2 years ago
|
||
|
|
Reporter | |
Comment 21•2 years ago
|
||
https://bugs.chromium.org/p/chromium/issues/detail?id=1407119
these two are my reports in chrome.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 22•2 years ago
|
||
|
|
Assignee | |
Comment 23•2 years ago
|
||
(In reply to Ameen from comment #1)
.symlink extension also allowed, which also need to be restricted.
Symlink is a implicit shortcut file. so this is also considered to be dangerous and should be fixed to avoid any issues in future
Do you have a PoC/demo of .symlink as a file extension causing any issues? I'm familiar with symbolic links, but they don't need to have a specific extension. IOW, what software treats .symlink as a meaningful extension?
|
|
Reporter | |
Comment 24•2 years ago
|
||
Hi Gijs, As a short form of symbolic link i have mentioned it has symlink. This doesn't work as i expected for an exploit.
Kindly ignore this case, sorry for confusion. it is good to go with desktop fix.
|
||
Comment 25•2 years ago
|
||
|
|
||
Comment 26•2 years ago
|
||
The patch landed in nightly and beta is affected.
:Gijs, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox112towontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 27•2 years ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D171405
|
||
Comment 28•2 years ago
|
||
Uplift Approval Request
- Needs manual QE test: yes
- Steps to reproduce for manual QE testing: See https://bugzilla.mozilla.org/show_bug.cgi?id=1810191#c0 - post-patch the .desktop file should be renamed when downloaded (suffixed with .download)
- User impact if declined: sec-moderate
- Fix verified in Nightly: no
- Explanation of risk level: Straightforward 2-line security fix.
- Risk associated with taking this patch: low
- String changes made/needed: Nope
- Is Android affected?: no
- Code covered by automated testing: no
|
|
Assignee | |
Comment 29•2 years ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D171405
|
|
||
Comment 30•2 years ago
|
||
Uplift Approval Request
- Fix verified in Nightly: no
- User impact if declined: sec-moderate
- Steps to reproduce for manual QE testing: See https://bugzilla.mozilla.org/show_bug.cgi?id=1810191#c0 - post-patch the .desktop file should be renamed when downloaded (suffixed with .download)
- Needs manual QE test: yes
- Code covered by automated testing: no
- Is Android affected?: no
- String changes made/needed: No
- Risk associated with taking this patch: low
- Explanation of risk level: Straightforward 2-line security fix.
|
|
Assignee | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 31•2 years ago
|
||
| uplift | ||
| Comment hidden (obsolete) |
|
|
||
Comment 33•2 years ago
|
||
| uplift | ||
|
||
Updated•2 years ago
|
|
||
Comment 34•2 years ago
|
||
I have reproduced this bug using an affected Nightly build (2023-01-13) with Ubuntu 18.04 x64.
The issue is verified on the fixed builds, latest Nightly 113.0a1, RC 112.0 and Esr 102.10 with Ubuntu 18.04 x64.
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Comment 35•2 years ago
|
||
|
|
Reporter | |
Comment 36•2 years ago
|
||
Team Kindly Share CVE ID for this issue
|
|
||
Updated•2 years ago
|
|
|
||
Updated•1 year ago
|
|
||
Updated•6 months ago
|
Description
•