Skip to content

Hiding filename/extention for .desktop files with execute permission.

Submitted by Mathias Svanbäck

Assigned to Xfce Bug Triage

Link to original bug (#13329)

Description

Created attachment 6980 Screenshot of malicious .desktop file displayed in Thunar

Hiding the filename/extention may be used to trick users to execute arbitrary code.

How to reproduce:

  1. Create a file called malware.desktop

  2. Add the following content to it:

[Desktop Entry] Name=CV.pdf Exec=sh -c 'touch ./MALWARE_WAS_HERE' Terminal=false Icon=x-office-document Type=Application Categories=Office

  1. Make it executable

Thunar displays the file like that: (see attachment)

Once the user opens the file the Exec entry is executed without any confirmation. By hiding the filename and therefore also the filename extension users can easily be tricked to execute arbitrary code when some ships files like that in an archive which preserves execute permissions.

How to fix it:

Maybe by don't hiding the filename for .desktop files at all.

/u/wander_homer brought it up https://www.reddit.com/r/linux/comments/5r6va0/how_to_easily_trick_file_manager_users_to_execute/

For reference, this bug also applies to other file managers: https://github.com/lxde/pcmanfm-qt/issues/449 https://github.com/mate-desktop/caja/issues/727 https://github.com/linuxmint/nemo/issues/1404

Attachment 6980, "Screenshot of malicious .desktop file displayed in Thunar":
Screenshot_2017-02-02_19-14-19

Version: 1.6.10