Bug of the week: Gnome pic parser can run evil VBScripts
Gnome developers, take a bow: a bug in your image thumbnailer opens up a (not too scary, thankfully) vector for script injection.
The problem is explained by Nils Dagsson Moskopp here, in his advice for users:
“Delete all files in /usr/share/thumbnailers. Do not use GNOME Files. Uninstall any other software that facilitates automatically executing parts of filenames as code” (emphasis added).
In other words, to create image thumbnails, Gnome Files takes filenames as an executable input – and that’s problematic.
Dagsson Moskopp uses Wine as the basis for his proof-of-concept (because you need something to execute VBScript). Quite simply, he tricks Gnome Files into creating a file called badtaste.txt – and if you can create arbitrary files, you can have all sorts of fun with a Linux environment (even if only in the current user’s context).
“Whenever an icon for a Microsoft Windows executable (EXE), installer (MSI), library (DLL), or shortcut (LNK) should be shown, Gnome Files calls /usr/bin/gnome-exe-thumbnailer to either extract an embedded icon from the file in question or deliver a fallback image for the appropriate filetype.”
He picks out this single line of code in /usr/bin/gnome-exe-thumbnailer as the culprit:
DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo Z:\tmp\${TEMPFILE1##*/}.vbs 2/dev/null
“Instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine. The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution.”
Dagsson Moskopp says developers should not use “ad-hoc parsers” to parse files, should “fully recognise inputs before processing them”, and should use unparsers.
As is noted at http://langsec.org/ LANGSEC, which he also references, the: “Internet insecurity epidemic [is] s a consequence of ad hoc programming of input handling at all layers of network stacks, and in other kinds of software stacks”. Try to avoid it. ®
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/20/bug_of_the_week_gnome_pic_parser_can_run_evil_vbscripts/