[Emotional] So I got curious if a simple archive can screw me over...

Chat about Linux in general
lamefun
Level 1
Level 1
Posts: 25
Joined: Fri Jun 02, 2017 2:15 pm

[Emotional] So I got curious if a simple archive can screw me over...

Post by lamefun »

Turns out it can, in just a few simple steps...
  1. Create a file Document.desktop with the following contents:

    Code: Select all

    [Desktop Entry]
    Name=Document.odt
    Icon=application-vnd.oasis.opendocument.text
    Type=Application
    Exec=zenity --warning --title "Gotcha!" --text "You have virus!"
    Terminal=false
    
  2. Make it executable.
  3. Pack into a Document.7z.
  4. Rename to Document.zip for maximum deception (optional).
  5. "Extract Here" in Nemo.
  6. Open the fake Document.odt.
  7. Enjoy your fake virus dialog!
And here goes my faith in Linux and FOSS... This kind of a loophole is something I would expect from the likes of Windows 95, and not from Linux... This, folks, is why you use proprietary software like Windows® 10™ from Microsoft®, which has a wide variety of anti-virus programs available for it, designed by the world's leading security professionals using the latest state-of-the-art advancements in AI and machine learning, capable of operating on a computer that has already been thoroughly infected and cleaning it up! They're literally like magic, and would've caught something like this immediately! Use PRO(!)prietary software! PRO! PRO!

But seriously... Please tell me I'm a stupid idiot, wrong, and missed something obvious! I've tried this again and again hoping this is not true, but it works every time... I've tried it in MATE too, same problem...
Last edited by lamefun on Tue May 19, 2020 12:39 am, edited 5 times in total.

User avatar
lsemmens
Level 10
Level 10
Posts: 3414
Joined: Wed Sep 10, 2014 9:07 pm
Location: Rural South Australia

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by lsemmens »

Your point?
Fully mint Household
Out of my mind - please leave a message

lamefun
Level 1
Level 1
Posts: 25
Joined: Fri Jun 02, 2017 2:15 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by lamefun »

Am I supposed to run find <dir> -executable -type f after unpacking every archive I download, to see if any of the files in it is actually a desktop shortcut that will infect my computer with a virus? Desktop shortcuts can fake both the extension and the icon in Nemo when made executable, and the 7z archive format preserves the executable flag...

User avatar
smurphos
Level 16
Level 16
Posts: 6804
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by smurphos »

You may find these discussions interesting - I don't think mtwebster's proposed solution ever got merged (it would require a trusted metadata flag as well as the executable bit being set).

https://github.com/linuxmint/nemo/issues/1404
https://github.com/linuxmint/nemo/pull/1407
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

User avatar
karlchen
Level 21
Level 21
Posts: 12731
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by karlchen »

lsemmens wrote:
Mon May 18, 2020 11:38 pm
Your point?
When executing step 2: 2. Make it executable. Nemo afterwards displays the file Document.desktop as Document.odt.
(My other file-manager cannot be fooled this way and displays Document.desktop still.)

If you click on what Nemo displays as Document.odt, the file will be executed. Which means the commandline in the parameter Exec= gets executed. And this commandline displays the virus alert message.

--
By the way. If you use e.g. xfe in order to do the steps, you will learn that the steps will not work as explained.
xfe displays Document.desktop as Document.desktop, no matter whether the file is executable or not.
xfe will not execute the file by the way, but simply open it in an editor.

--

Hm. As the *.desktop files in /usr/share/applications and in $HOME/.local/share/applications are not executable (no "x"-bit set). So .desktop files as such do not have to be executable.
Image
Linux Mint 19.2 64-bit Cinnamon, Total Commander 9.22a 64-bit
Haß gleicht einer Krankheit, dem Miserere, wo man vorne herausgibt, was eigentlich hinten wegsollte. (Goethe)

User avatar
spamegg
Level 4
Level 4
Posts: 274
Joined: Mon Oct 28, 2019 2:34 am

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by spamegg »

I feel like this is just feeding a troll...

User avatar
karlchen
Level 21
Level 21
Posts: 12731
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by karlchen »

What is the trolling aspect in the reported way how file-managers, that also manage the desktop, handle .desktop files, which have been made executable?
Care to explain? - After all the 2 Github issues, which smurphos had linked to, had not been immediately closed as non-issues.
Image
Linux Mint 19.2 64-bit Cinnamon, Total Commander 9.22a 64-bit
Haß gleicht einer Krankheit, dem Miserere, wo man vorne herausgibt, was eigentlich hinten wegsollte. (Goethe)

User avatar
thx-1138
Level 8
Level 8
Posts: 2094
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by thx-1138 »

EDIT: Content removed, as i not only misunderstood the OP, but also karlchen's reply / reaction to it
(my guess stumbling on the 'ESO Gold services ad' early in the morning in...Linux-oriented forums,
not only got on my nerves, but severely clouded / crippled my judgement & comprehension afterwards). :? :cry:
My sincere apology to karlchen for completely misinterpreting his statements before.
Last edited by thx-1138 on Tue May 19, 2020 2:02 pm, edited 1 time in total.

lamefun
Level 1
Level 1
Posts: 25
Joined: Fri Jun 02, 2017 2:15 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by lamefun »

The problem is, YOU don't even have to personally make a .desktop file executable for it to be able to fake the icon and the extension... You just have download an archive in a format that preserves the executable flag like .7z or .tar.gz from some malicious website and unpack it...

ZakGordon
Level 5
Level 5
Posts: 804
Joined: Thu Feb 12, 2015 11:07 am

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by ZakGordon »

You do know WHY virus/malware makers target Windows mostly right?

You do know what 'open source' means (in effect, not just the philosophical aspect)?

--------------------
On a tangent. Any time you connect online, on any OS, under any security system, you immediately open up your computer to potentially getting compromised.

Say anytime you want to broadcast something over the airwaves (so using any radio frequency), under any security system, you immediately open up your sent communication to potentially getting intercepted and compromised.

Anytime you have a conversation in a public place you are open to having that conversation listened in on. Anytime you write anything down (say on paper) you immediately leave yourself open to having that stolen/used against your wishes.

You see where this is going? So as has been asked, what is your point?
Laptop overheating? Check link here:itsfoss guide . A move from Cinnamon to XFCE can give a -5 to -10 degrees C change on overheating hardware.

Build a modern dual-boot Ryzen Win7/Linux Mint PC:Tutorial

lamefun
Level 1
Level 1
Posts: 25
Joined: Fri Jun 02, 2017 2:15 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by lamefun »

ZakGordon wrote:
Tue May 19, 2020 10:05 am
Any time you connect online, [...] you immediately open up your computer to potentially getting compromised.
Exactly, and this is why security loopholes should be fixed ASAP, and not ignored for years...
ZakGordon wrote:
Tue May 19, 2020 10:05 am
You see where this is going? So as has been asked, what is your point?
Imagine you download Music.7z, extract it, double-click an innocent-looking Song.mp3, and BOOM, you have virus! Sure, you can first open it in the archive manager, which doesn't allow .desktop files to fake their extensions and icons, but a non-technical user may not even know that's possible... Using a computer shouldn't be like crossing a minefield, especially when you're using a supposedly secure OS.

That's my point.

User avatar
Flemur
Level 18
Level 18
Posts: 8397
Joined: Mon Aug 20, 2012 9:41 pm
Location: Potemkin Village

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by Flemur »

karlchen wrote:
Tue May 19, 2020 7:14 am
Nemo afterwards displays the file Document.desktop as Document.odt.
thunar and pcmanfm also displayed the fake .odt extension; but the correct name is maintained in a terminal and in xfe and doublecmd. It seems that linux is getting more like Windows all the time...
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?

User avatar
thx-1138
Level 8
Level 8
Posts: 2094
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by thx-1138 »

That lots of things don't work 'as they should' under Linux, sure.
Projects frequently have limited manpower, code for this or that isn't necessarily extensively tested,
devs might be stubborn to the point of no return to fix stuff etc etc. No question about that, not all is roses, far from it.

But to have a good understanding here, you discovered America that super-cool elite 0-day bug in May 2020?
And your answer is...what?

To come to LM forums...ie. the linux forum which is easily the one with the least technical-knowledgeable base overall,
and crap-post about AVs that do...magic and how great PRO! PRO! PRO(!)prietary software is?
What's the proposal here? Is it just a way to stir impressions? Spread fearmongering?
Merely an expression of disappointment? Overplay something in order to attract attention? What is it exactly?

Because regardless if your concerns are valid up to a certain point and if your actual intentions are well-meant,
from what i see, you also seem to have a certain not-really-flattering history in regards to such issues:
https://lwn.net/Articles/606826/
https://lists.rpmfusion.org/pipermail/r ... 17138.html

How is anyone supposed to react to such mentality and/or behavior?
Tell you that 'you're barking at the wrong tree' in those forums here?
State that 'you catch more flies with honey than vinegar'?
Respond with the cliché 'Patches are welcomed'?

rene
Level 16
Level 16
Posts: 6266
Joined: Sun Mar 27, 2016 6:58 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by rene »

thx-1138 wrote:
Tue May 19, 2020 11:10 am
How is anyone supposed to react to such mentality and/or behavior?
Basically, by fixing the problem. Judging by smurphos' contribution this problem has been known and ignored so seems it's about time.

The PRO thing he even himself commented on as non-serious; fine. The problem itself is quite literally Windows 95 level/vintage and honestly rather embarrassing for anyone involved with e.g. Nemo. Poster has here taken the role of reporter and your response more or less is what you otherwise seem to not appreciate, i.e., "patches are welcome". He doesn't have patches; just an embarrassing example of a Windows 95 era exploit. It'll do in this obvious case.

User avatar
thx-1138
Level 8
Level 8
Posts: 2094
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by thx-1138 »

rene wrote:
Tue May 19, 2020 11:31 am
thx-1138 wrote:
Tue May 19, 2020 11:10 am
How is anyone supposed to react to such mentality and/or behavior?
The PRO thing he even himself commented on as non-serious; fine.
...hmmm, doesn't really look this way to me from the above...or even more,
and still assuming if i'm correct, via his github avatar ;-)

But if indeed i misunderstood his AV & PRO comments as serious ones while not actually being such,
then sure, i'm perfectly fine to retract any of my previous statements.

rene
Level 16
Level 16
Posts: 6266
Joined: Sun Mar 27, 2016 6:58 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by rene »

The "But seriously..." thing. But anyways, I always thought that Nemo was a PoS so I'll be out of here but, really, Nemo dudes and dudettes?

lamefun
Level 1
Level 1
Posts: 25
Joined: Fri Jun 02, 2017 2:15 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by lamefun »

thx-1138 wrote:
Tue May 19, 2020 11:10 am
That lots of things don't work 'as they should' under Linux, sure.
Projects frequently have limited manpower, code for this or that isn't necessarily extensively tested,
devs might be stubborn to the point of no return to fix stuff etc etc. No question about that, not all is roses, far from it.
If it's so bad that basic security issues can't be fixed, maybe don't advertise it as "safe" then.

From https://linuxmint.com/about.php:

It's safe and reliable. Thanks to a conservative approach to software updates, a unique Update Manager and the robustness of its Linux architecture, Linux Mint requires very little maintenance (no regressions, no antivirus, no anti-spyware...etc).
thx-1138 wrote:
Tue May 19, 2020 11:10 am
Merely an expression of disappointment?
Yes, a very, very major disappointment.
thx-1138 wrote:
Tue May 19, 2020 11:10 am
Overplay something in order to attract attention?
Obviously I want to attract attention, but this bug is so bad that it can't really be overplayed...
thx-1138 wrote:
Tue May 19, 2020 11:10 am
from what i see, you also seem to have a certain not-really-flattering history in regards to such issues:
https://lwn.net/Articles/606826/
https://lists.rpmfusion.org/pipermail/r ... 17138.html
Yes, and I don't care, silly security issues deserve silly responses, that's only fair.

RPM Fusion had both the download links and the GPG keys on openly editable wiki pages, can't get much sillier than this...

Flying pig :lol:: https://rpmfusion.org/RPM%20Fusion?acti ... ll&rev=194

User avatar
thx-1138
Level 8
Level 8
Posts: 2094
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by thx-1138 »

Lmao :lol:

Well, the desktop stack is more or less PoS one way or another, regardless if Mate, Cinnamon...
If i was to somewhat 'trust' a desktop, that would be Gnome, in the sense, that's where the $ is,
and also, besides funding, from what i'm aware, at least a few sub-projects of it explicitly & frequently,
test their code for potential vulnerabilities etc etc...

This goes slightly off-topic, and it's partially addressed to rene - as it is recent enough...
I didn't commented in that thread there, because the main 'discourse' seemed to be among the lines...
if browser is updated, then all is quiet in the western front. It absolutely certainly isn't.

Example...
https://usn.ubuntu.com/4074-1/
Ie. find me a simple common unsuspecting end-user who won't download video files from public trackers.
And note we're talking about...VLC here, 1 billion downloads, widely reviewed, has also received EU money for bug testing.
So, if talking about...random player fork of another random player hosted somewhere in github, well, yeah...no comment.

Could claim the very same thing for most common desktop utilities / functions actually.
PDF browsers, archive extractors, image viewers, and what not.
And if you add on top the not-so-great vulnerability history in ghostscript, imagemagic, zlib etc...

There was a relatively interesting paper few yrs paper ago.
Pretty much what it said was that...hey, such kind of past Windows-alike nonsense / vulns
(JpegOfDeath, WMFexploit, TTF exploits), are hugely ignored by the modern Linux desktops.
People download pdfs, jpgs, fonts, avi or mkv files and what not...
so it's certainly not "keep the browser updated, and all is more or less well".
That's a serious under-estimation: ALL input from the net should be treated as untrusted in the first place.
And please note we're talking only about improper file format decoding here.

Ie. myself, i'm actually fairly confident that besides the .desktop Win95-alike bug above,
various kinds of early / mid-00s Windows-style fileformat parsing / decoding vulnerabilities,
must be lurking in the various desktops, forks and their sub-components at this or that stage of development.
Due to lack of interest in x obscure graphical linux software...it's just that probably no one notices them.

To make myself clear: i trust the kernel enough, and the well-known server/cloud software & underlying libs used in the industry.
The rest - i merely trust that they aren't backdoored if coming from official repos, nothing more or less.
Outside such, i always (try to) manually check / verify any file that i download...

In that sense, (and obviously retracting / apologizing if you will for my previous statements having misunderstood such),
the only 'hope' would be as smurphos suggested to re-open the discussions about such over at Github...

rene
Level 16
Level 16
Posts: 6266
Joined: Sun Mar 27, 2016 6:58 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by rene »

thx-1138 wrote:
Tue May 19, 2020 12:44 pm
Ie. find me a simple common unsuspecting end-user who won't download video files from public trackers.
I'd actually have no trouble at all finding you many, but, let's just say that your point has been read at least, even if "taken" would still take some doing ;-)

User avatar
karlchen
Level 21
Level 21
Posts: 12731
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by karlchen »

<Mod>
This thread did not start with a typical newbie question. A real newbie would step into the trap without realizing or realizing only once some damage has been achieved.
Some statements by the OP to the effect that commercial software in general and Microsoft software in particular were superior to open source software in general, raise doubts that
a) the OP is a Linux newbie
b) the OP's intention is primarily reporting a potentially easy to exploit design flaw in how common file-managers handle .desktop files.
In brief:
For all the mentioned reasons, the thread has been moved from the "Newbie" sub-forum to the "Chat about Linux" forum.
</Mod>
Image
Linux Mint 19.2 64-bit Cinnamon, Total Commander 9.22a 64-bit
Haß gleicht einer Krankheit, dem Miserere, wo man vorne herausgibt, was eigentlich hinten wegsollte. (Goethe)

Post Reply

Return to “Chat about Linux”