Argument injection vulnerability in xfce4-mime-helper
Description
There is an argument injection vulnerability in the xfce4-mime-helper tool. The tool is used by xdg-open in Linux distributions with the Xfce Desktop Environment (Xubuntu, Whonix etc. ) installed. By exploiting the bug an attacker can inject arbitrary command line arguments to the configured default browser (e.g. Firefox) and the default file manager (e.g. Thunar). Among other things, the vulnerability can be leveraged into a 1-click universal XSS in Firefox.
Steps to reproduce
- Setup a fresh Xubuntu 22.04. installation.
- Open a Terminal and enter the following command.
xdg-open 'http://example.org" --private-window"'- Observe that the injected
--private-windowargument was accepted by Firefox.
Walkthrough
The flaw was first noted by clicking on a link that contains a double-quote.
To understand what happens under the hood, the command strace -f -s100 xdg-open 'http://example.org" --private-window"'| grep execve can be used.
One can see that first xdg-open is executed which then passes the argument correctly to exo-open.
Then, exo-open in turn calls xfce4-mime-helper with --launch WebBrowser or --launch FileManager depending on the URL scheme.
strace output:
execve("/usr/bin/xdg-open", ["xdg-open", "http://example.org\" --private-window"], ...
execve("/usr/bin/exo-open", ["exo-open", "http://example.org\" --private-window"], ...
execve("/usr/bin/xfce4-mime-helper", ["/usr/bin/xfce4-mime-helper", "--launch", "WebBrowser", "http://example.org\" --private-window"], ...Taking a closer look at the source code of the xfce4-mime-helper application it was noted that an insecure string replace
is used to build the firefox or thunar command.
More specifically, templates are used to build the final command. This is illustrated in the code snippet below.
With reference to the above PoC commands[n] is /snap/bin/firefox "%s". The code below replaces %s with the attacker-controlled
URL resulting in:
/snap/bin/firefox "http://example.org" --private-window""Affected Code
/* parse the command */
command = !xfce_str_is_empty (real_parameter) ? xfce_str_replace (commands[n], "%s", real_parameter) : g_strdup (commands[n]);
succeed = g_shell_parse_argv (command, NULL, &argv, &err);
g_free (command);
Impact
xdg-open is usually executed when a user clicks on a link in an application like a PDF viewer or document writer.
Therefore this issue can be exploited when a victim clicks on a malicious link in a specially crafted PDF document.
In Firefox the CLI argument --remote-debugging-port opens a TCP port on a local interface for debugging purposes.
Using the argument --remote-allow-origins http://attacker.com the attacker-controlled origin is allowed to connect to the local debugging port.
As a result, the attacker can execute arbitrary JavaScript code on any domain (uXSS) via the debugging port.
A sample PDF document is attached evil.pdf.
Finders
Robin Peraglie, Johannes Moritz