Security vulnerability by allowing parsing by mime type and a defacto standard
Submitted by swo..@..ol.com
Assigned to Allison Lortie @desrt
Description
The initial report about this problem was made here: http://sourceforge.net/p/pcmanfm/bugs/856/
Currently there is a way with a standard and a defacto-standard that causes a security vulnerability to desktop files. I'm beginning with the standard. Quote from here (http://standards.freedesktop.org/desktop-entry-spec/latest/ar01s02.html):
When no file extension is present, the desktop system should fall back to recognition via "magic detection".
With this in mind here is an example desktop file an attacker may create:
[Desktop Entry] Exec=sh -c 'xdg-open /usr/local/share/image/hot_girl.jpg; /usr/local/bin/keylogger' Icon=/usr/share/icons/nuoveXT2/48x48/mimetypes/image.png NoDisplay=true Type=Application
The file will be named hot_girl.jpg. If the user now finds the file he could be attracted to open it due to the name. Also the file is hiding with the Icon key behind an image symbol so that the user doesn't become suspicious. If the user opens the file it will open the real image so that we user still becomes not suspicious but it will also start a keylogger in the background.
If the specifications would only allow a desktop-system to recognise desktop files if they would always have a .desktop file extension a user couldn't be tricked this easy because he has the chance to become suspicious because the file must be named hot_girl.jpg.desktop to successfully start the keylogger.
What do you think about this? Normally all desktop files from repositories are having valid .desktop file extensions so making this part stricter wouldn't affect these system. Or are there known special cases there it could hurt backwards compatibility?
But I want also to extend this example a little about a defacto-standard that many file managers are seeming to follow: They are presenting desktop files in the file manager not with the real filename but replacing it with the Name key. This means even if desktop files would be made stricter to having always a .desktop file extension an attackter could rely on the defacto-standard and simply add the line "Name=hot_girl.jpg" to fake the filename.
What I want to try to achieve is that the desktop entry specification would decide if this behavior should be allowed or not (logically allowing it would restricting desktop files to having always a .desktop file extension useless).