.desktop files, serious security hole, virus-friendliness

Benedikt Meurer benny at xfce.org
Wed Apr 5 16:43:25 EEST 2006 

Sam Watkins wrote:
> Does anyone other than me think my proposed solution might be the right
> thing to do?  or can you offer some "tweaks" and criticisms to make it
> better?  If so, I'm happy to have a go at implementing it.

I still don't see the advantage of requiring +x for .desktop files. As
pointed out several times in this thread there are several ways for an
attacker to set the +x bit on a .desktop. For example, placing the
virus.desktop in a archive with +x set. The user would then extract the
archive and voila.

Also, most "good" software will tell people to "chmod +x $filename",
just like "bad" software will do. There's no way for the user to tell
whether it's really safe to follow the advice (except looking at the
Exec field, but that requires knowledge about the various common shell
commands).

There's also another scenario not yet covered by this thread: An
attacker with access to the file system could simply create a
myfile.png.desktop in /tmp (or another world writable directory, which
the user is likely to visit from time to time) with a faked Icon, that
looks like a thumbnail of a PNG file (maybe just a PNG file from the
users home dir), chmod +x myfile.png.desktop and wait for the user to
double click it. Dunno how relevant this case is in reality, but it
demonstrates that the +x bit requirement doesn't provide any advantages
over non-executable .desktop files.

And in the same light: The user double-clicks a .desktop file without +x
bit set. The file manager will consider this file "unsafe" as you said,
and popup a dialog which says "The file is unsafe, blah, blah..." and
includes the value of the Exec field. Now imagine this user is just an
average desktop computer user and knows only a few basic shell commands.
How likely is it that this user would know what's going on here? Very
unlikely, indeed. So, he/she will probably just click "Run anyway", or a
more advanced user will maybe google for the problem and find a forum
which talks about this problem and suggests to "chmod +x $filename" to
solve it.

The "solution" would only help to protect skilled users, who are able to
interpret the Exec value properly. And these skilled users will most
probably don't "execute" malware anyway, because they are experienced at
guessing what kinds of mails/attachments are safe. The majority of users
will remain vulnerable to ".desktop file attacks" in one or the other way.

> Sam

Benedikt

More information about the xdg mailing list