Remote code execution trough URI handlers of Browsers
Hello. Its possible redirect a linux xfce user to connect on a remote ftp and execute arbitrary code through .desktop files with 1 click to remote code execution:
-
If the user already have a ftp partition - connected on computer, when they click to open a generic xdg-open, chrome will execute a .desktop file, on all Linux system. ( If you try that on chromium browsers on MacOs, the browser will just download any file, not execute, either behavior we have on Firefox)
-
If the user still not connected on ftp, when xdg-open is accepted, the user will connect to ftp server, when the user click again to open xdg-open, the file .desktop will be automatically executed
steps:
-
- On a Linux xfce system (machine 1), you will connect it to a shared ftp server (that will have the malicious .desktop file that hacker uploaded) - simulating the victim computer who have a shared ftp of the business
2.Hacker send the link containing malicious html page to victim
-
Victim accepts the xdg-open
-
Automatically the .desktop file will be executed
A lot of apps run through xdg-open , a attacker can make infinity malicious pages to execute the generic xdg-open, that in reality is a arbitrary code on a .desktop file that browsers enable to execute
Please see the Poc:
on attachments we have the .desktop file and the html file a.desktop
Thanks!