Closed Bug 1810191 (CVE-2023-29541) Opened 11 months ago Closed 8 months ago

.desktop file extension on Linux should be rewritten to .desktop.download to avoid users running local executables _if_ desktop files are executed by the user's file manager.

Categories

(Firefox :: File Handling, defect, P3)

Desktop
Linux
defect

Tracking

()

VERIFIED FIXED
113 Branch
Tracking Status
firefox-esr102 112+ verified
firefox111 --- wontfix
firefox112 + verified
firefox113 + verified

People

(Reporter: ameenbasha111, Assigned: Gijs)

References

Details

(Keywords: sec-moderate, sec-vector, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main112+][adv-esr102.10+])

Attachments

(5 files)

Hi Team before starting this have a Look into the below issue description. in which it shows the shortcuts files are restricted and Changed to .download But the same for Linux are not prevented

https://bugs.chromium.org/p/chromium/issues/detail?id=1307930

https://bugs.chromium.org/p/chromium/issues/detail?id=1140417

.desktop is a Shortcut file in linux similar to .lnk in Windows which could have ability to invoke the executables

Tested in Latest Version of FireFox in Linux 5.7.0-kali1-amd64 (KERNEL)

REPRODUCTION CASE

  1. Open the below attached html File in Firefox on linux
  2. You can see the shortcut file is allowed and downloaded in linux without renaming

Impact: Lead to Executing Code

I have added a POC HTML The resultant download file will invoke Calc when it is trying to execute

Flags: sec-bounty?

Any update regarding this issue?

Team can i get some update on this issue.

Serg said he can take a look.

Flags: needinfo?(sgalich)

I can not reproduce it on Ubuntu 22.04.1 LTS.

Ameen, what happens when you download this .desktop file in Chromium?

Flags: needinfo?(sgalich) → needinfo?(ameenbasha111)

Hi serg. it is similar to .lnk files in windows.

I have tested the same in Kali Linux and found vulnerable. On visiting the above html it will download a .desktop file. while trying to open it will invoke calc.

if this not opening calc in ubuntu. it might be due to the calc name was different in ubuntu. Kindly change accordingly in the above html

Flags: needinfo?(ameenbasha111)

(In reply to Ameen from comment #6)

Hi serg. it is similar to .lnk files in windows.

I have tested the same in Kali Linux and found vulnerable. On visiting the above html it will download a .desktop file. while trying to open it will invoke calc.

if this not opening calc in ubuntu. it might be due to the calc name was different in ubuntu. Kindly change accordingly in the above html

Ubuntu opens .desktop files in text editor by default, they don't launch the file the .desktop points at. See e.g. https://askubuntu.com/questions/1187934/cannot-launch-desktop-files-opens-with-text-editor-instead

You didn't answer the question about chromium... What do they do with this file?

Flags: needinfo?(ameenbasha111)

Ubuntu opens .desktop files in text editor by default, they don't launch the file the .desktop points at.

Regarding this can you check on kali linux once?

You didn't answer the question about chromium... What do they do with this file?

Have reported to chromium regarding symlink extension in that i have mentioned the same but didn't get any much info from them

Flags: needinfo?(ameenbasha111)

(In reply to Ameen from comment #8)

Ubuntu opens .desktop files in text editor by default, they don't launch the file the .desktop points at.

Regarding this can you check on kali linux once?

You didn't answer the question about chromium... What do they do with this file?

Have reported to chromium regarding symlink extension in that i have mentioned the same but didn't get any much info from them

I didn't ask about the symlink file. Please just answer the question. What happens in chromium when you download the .desktop file?

Flags: needinfo?(ameenbasha111)

Have reported to chromium regarding symlink extension in that i have mentioned the same but didn't get any much info from them

in that i have mentioned the same but didn't get any much info from them

Have already responded for your query. Chrome is also having same issue and i clubbed and report the .symlink and .desktop to them but didn't get any update on this

Hope this clarify the points you needed.

Flags: needinfo?(ameenbasha111)

(In reply to Ameen from comment #10)

Have reported to chromium regarding symlink extension in that i have mentioned the same but didn't get any much info from them

in that i have mentioned the same but didn't get any much info from them

Have already responded for your query. Chrome is also having same issue and i clubbed and report the .symlink and .desktop to them but didn't get any update on this

Hope this clarify the points you needed.

Sorry, it wasn't clear to me that you also reported .desktop - your previous comment only referenced .symlink.

Can you please link to the chromium ticket? We try and coordinate so we don't 0-day each other and such. (it's fine if it's confidential at the moment, but then if we need to reach out we can at least share a link)

Flags: needinfo?(ameenbasha111)

Hi Gijs yes i can share some details about my issue in chromium. Currently my issue was marked as duplicate to some old ticket which is already fixed and not properly works.

From the Duplicate ticket i got the chromium fix link. i will share them hope it will give you some more clarity about this.

Fix Link: https://chromium.googlesource.com/chromium/src.git/+/b32471d5abb3b3a4fe56e1dd79871400b51a0cca

FYI: Regarding my issue in chrome i have asked my updates. if i got any ill update you the ticket id.

Flags: needinfo?(ameenbasha111)

The severity field is not set for this bug.
:serg, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sgalich)
Severity: -- → S3
Flags: needinfo?(sgalich)

Hi guys its been 24 days since i raise this issue, can i get some progress update on this.

Status: UNCONFIRMED → NEW
Component: Security → File Handling
Ever confirmed: true
OS: Unspecified → Linux
Hardware: Unspecified → Desktop
See Also: → CVE-2023-25734
Summary: FireFox Allows Allows .desktop File extension in Linux Leads to Code execution → .desktop file extension on Linux should be rewritten to .desktop.download to avoid users running local executables _if_ desktop files are executed by the user's file manager.
Depends on: CVE-2023-29542
Priority: -- → P3

Dan, this doesn't have a security rating. bug 1809923 was sec-moderate. I'd want to argue this should be sec-low given it's linux-only and doesn't affect major distributions by default (because of what happens when you open .desktop files using the default file manager), and there's no case where credentials are shared across a network automatically or similar like for .url/.lnk/.local. On the flip side, AFAICT (although this wasn't explicit in the original report), it runs local executables with attacker-supplied commandline args, if executed, which seems worse than running things already on the user's machine without arguments, so maybe that means it should be sec-moderate or otherwise. Can you make a decision? Thanks!

Flags: needinfo?(dveditz)

Agreed that Kali is not major, but other than Ubuntu mentioned above do we know that it doesn't affect other distributions? The linked Chrome bug mentions it affected Debian using both GNOME and KDE desktops (but that was 2019!). In any case, a small affected population influences our priority for fixing more than the severity of the symptoms. We do sometimes temper a sec-high, but we shouldn't drop this further to sec-low. Especially not with the ability to include arbitrary arguments.

Flags: needinfo?(dveditz)
Keywords: sec-moderate

Hi Gijs yes i can share some details about my issue in chromium.

Gijs asked for the link. If there's still a problem in Chrome (see below) we need to give them the reference so both sides know we're talking about the same thing. The old chrome bug does not appear to show the bug merged into it, at least not that an unprivileged account can see.

Currently my issue was marked as duplicate to some old ticket which is already fixed and not properly works.

I'm not sure what you mean by that last bit. The simplest interpretations is that since the Chrome team duped it to a fixed bug, it's a simple typo for "now": now Chrome properly works. But if it was fixed 3 years ago you wouldn't have seen something that caused you to report it again. That argues that you meant something like "already fixed, but not properly/it doesn't work properly".

Flags: needinfo?(ameenbasha111)
Flags: needinfo?(ameenbasha111)
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Blocks: 1824959

(In reply to Ameen from comment #1)

.symlink extension also allowed, which also need to be restricted.

Symlink is a implicit shortcut file. so this is also considered to be dangerous and should be fixed to avoid any issues in future

Do you have a PoC/demo of .symlink as a file extension causing any issues? I'm familiar with symbolic links, but they don't need to have a specific extension. IOW, what software treats .symlink as a meaningful extension?

Flags: needinfo?(ameenbasha111)

Hi Gijs, As a short form of symbolic link i have mentioned it has symlink. This doesn't work as i expected for an exploit.

Kindly ignore this case, sorry for confusion. it is good to go with desktop fix.

Flags: needinfo?(ameenbasha111)
Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch

The patch landed in nightly and beta is affected.
:Gijs, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox112 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(gijskruitbosch+bugs)

Uplift Approval Request

  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: See https://bugzilla.mozilla.org/show_bug.cgi?id=1810191#c0 - post-patch the .desktop file should be renamed when downloaded (suffixed with .download)
  • User impact if declined: sec-moderate
  • Fix verified in Nightly: no
  • Explanation of risk level: Straightforward 2-line security fix.
  • Risk associated with taking this patch: low
  • String changes made/needed: Nope
  • Is Android affected?: no
  • Code covered by automated testing: no
Flags: qe-verify+

Uplift Approval Request

  • Fix verified in Nightly: no
  • User impact if declined: sec-moderate
  • Steps to reproduce for manual QE testing: See https://bugzilla.mozilla.org/show_bug.cgi?id=1810191#c0 - post-patch the .desktop file should be renamed when downloaded (suffixed with .download)
  • Needs manual QE test: yes
  • Code covered by automated testing: no
  • Is Android affected?: no
  • String changes made/needed: No
  • Risk associated with taking this patch: low
  • Explanation of risk level: Straightforward 2-line security fix.
Flags: needinfo?(gijskruitbosch+bugs)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]

I have reproduced this bug using an affected Nightly build (2023-01-13) with Ubuntu 18.04 x64.

The issue is verified on the fixed builds, latest Nightly 113.0a1, RC 112.0 and Esr 102.10 with Ubuntu 18.04 x64.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Flags: sec-bounty? → sec-bounty+
Keywords: sec-vector
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main112+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main112+] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main112+][adv-esr102.10+]
Attached file advisory.txt

Team Kindly Share CVE ID for this issue

Alias: CVE-2023-29541
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.