Hiding filename/extention for .desktop files with execute permission.
Submitted by Mathias Svanbäck
Assigned to Xfce Bug Triage
Description
Created attachment 6980 Screenshot of malicious .desktop file displayed in Thunar
Hiding the filename/extention may be used to trick users to execute arbitrary code.
How to reproduce:
-
Create a file called malware.desktop
-
Add the following content to it:
[Desktop Entry] Name=CV.pdf Exec=sh -c 'touch ./MALWARE_WAS_HERE' Terminal=false Icon=x-office-document Type=Application Categories=Office
- Make it executable
Thunar displays the file like that: (see attachment)
Once the user opens the file the Exec entry is executed without any confirmation. By hiding the filename and therefore also the filename extension users can easily be tricked to execute arbitrary code when some ships files like that in an archive which preserves execute permissions.
How to fix it:
Maybe by don't hiding the filename for .desktop files at all.
/u/wander_homer brought it up https://www.reddit.com/r/linux/comments/5r6va0/how_to_easily_trick_file_manager_users_to_execute/
For reference, this bug also applies to other file managers: https://github.com/lxde/pcmanfm-qt/issues/449 https://github.com/mate-desktop/caja/issues/727 https://github.com/linuxmint/nemo/issues/1404
Attachment 6980, "Screenshot of malicious .desktop file displayed in Thunar":
Version: 1.6.10