.desktop files, serious security hole, virus-friendliness

Sam Watkins sam at nipl.net
Mon Apr 3 08:29:04 EEST 2006 

peace,

I noticed quite a while ago that .desktop files as specified by
freedesktop.org open a window into GNU/Linux for a whole range of
viruses and trojans.  I think that this has been discussed
before.  I see that the issue has not been resolved so I'd like to
suggest a way to resolve it.

Conventionally files downloaded from the Internet cannot simply be
"clicked" to run them under unix/GNU/Linux, the execute permission must
be granted (or an installer used or archive extracted).

I feel this "x-bit" is the single best protection available to the
non-expert desktop user under Linux/UNIX, which prevents malware
becoming common in *nix

.desktop files however are able to execute arbitrary shell commands
WITHOUT being "blessed" by the execute bit, just with a click.  Also
they are displayed differently from normal files, the .desktop extension
and the filename are hidden, which compounds the problem.

PLEASE LET'S FIX THIS BEFORE SOMEONE EXPLOITS IT!

I don't think a rapidly-spreading virus could be implemented by this
method, because the process is a little somewhat more complex than
normal "virus vectors", however it is still an open-window for an
attack, it could be used against a specific person or a by a general
obnoxious website to remove all of a user's files, or install
malware/spyware/adware.  malware need not spread rapidly to be extremely
harmful.


The way to fix it:

Change the standard so .desktop files must be executable, and should
begin with a line like:

#!/usr/bin/desktop-launch

the desktop-launch script would simply run the Exec property of the
.desktop file as ususal (or it might be a little more complex than
that).  KDE and Gnome etc. need not use the "desktop-launch" script when a
user double-clicks on a .desktop file, they can continue to launch an
application directly as they do now - but they MUST check that the
.desktop file has the executable bit set!

the #! line is only necessary so that if a user exec's the .desktop file
in the normal way (e.g. from the shell) it does more or less the right
thing, rather than running the .desktop file through the shell which
might cause problems.

We would need to coordinate with Gnome, KDE, GNU/Linux distributions and
other freedesktop-compatible environments to "upgrade" existing .desktop
files (add the #! line and chmod +x them).  Custom .desktop files
belonging to users must also be upgraded.  This should of course be done
interactively to avoid clobbering other files called ".desktop"

This indeed does sound like an enormous amount of work (specifically due
to, the large number of packages containing .desktop files).  Perhaps
initially .desktop files that are owned by "root" (and presumably
packaged) might be executed in the old way, without the "x" bit.  In
that case, only a user's local desktop files would need to be upgraded
to the new standard.  Also a "confirm execute" dialogue might be used
by Gnome and KDE for user-writable .desktop files, and it might
chmod +x the file, something like what Windows XP is doing with
downloaded .exe files these days.  "do you really want to execute this,
it might be a virus!"

I feel very strongly that this "we can execute non-executable scripts"
misfeature of .desktop files is a very important issue to resolve,
so that we can keep the free desktops (almost) entirely free of malware
as *nix desktop environments become more popular,

please let me know what you think about this, and who would be likely to
be able to implement such a change.  (the politics, I mean, I expect
that any hacker could implement the code-changes)

If the webserver is working you can check out an example .desktop file
on the web, at:
  https://sam.nipl.ath.cx/virus.desktop

I've attached it and appended it to this email also.

It would be fairly easy with firefox / js to set up a thing that would
download this to a user's Desktop, with only a click "yes".  For now,
just click "save as", and save it on your desktop.  Once the thing
is downloaded, it could camouflage itself as any other application, hide
it's filename etc.  This one says "Virus" but looks like the terminal
application.

The file is non-toxic, it just runs "xmessage", but as I would hope you
don't trust me with your filesystem, you might like to read it before
you click it ;)

sorry about the bogus https warnings on my website

I want to know:

1. do you agree that this is a serious security problem?
2. do you think we should fix it?

I'm happy to volunteer to do some of the work required to fix this
problem.

thanks for reading!  take care


Sam Watkins
sam at nipl.net


a .desktop file:

[Desktop Entry]
Version=1.0
Encoding=UTF-8
Name=Virus
Comment=not really a virus, just a demo
Exec=xmessage "boo, you DON'T have a virus!  at least not this time..."
Icon=gnome-terminal.png
Type=Application
-------------- next part --------------
[Desktop Entry]
Version=1.0
Encoding=UTF-8
Name=Virus
Comment=not really a virus, just a demo
Exec=xmessage "boo, you DON'T have a virus!  at least not this time..."
Icon=gnome-terminal.png
Type=Application

More information about the xdg mailing list