Argument injection vulnerability in xfce4-mime-helper
There is an argument injection vulnerability in the xfce4-mime-helper tool. The tool is used by xdg-open in Linux distributions with the Xfce Desktop Environment (Xubuntu, Whonix etc. ) installed. By exploiting the bug an attacker can inject arbitrary command line arguments to the configured default browser (e.g. Firefox) and the default file manager (e.g. Thunar). Among other things, the vulnerability can be leveraged into a 1-click universal XSS in Firefox.
Steps to reproduce
- Setup a fresh Xubuntu 22.04. installation.
- Open a Terminal and enter the following command.
xdg-open 'http://example.org" --private-window"'
- Observe that the injected
--private-windowargument was accepted by Firefox.
The flaw was first noted by clicking on a link that contains a double-quote.
To understand what happens under the hood, the command
strace -f -s100 xdg-open 'http://example.org" --private-window"'| grep execve can be used.
One can see that first xdg-open is executed which then passes the argument correctly to exo-open.
Then, exo-open in turn calls xfce4-mime-helper with
--launch WebBrowser or
--launch FileManager depending on the URL scheme.
execve("/usr/bin/xdg-open", ["xdg-open", "http://example.org\" --private-window"], ... execve("/usr/bin/exo-open", ["exo-open", "http://example.org\" --private-window"], ... execve("/usr/bin/xfce4-mime-helper", ["/usr/bin/xfce4-mime-helper", "--launch", "WebBrowser", "http://example.org\" --private-window"], ...
Taking a closer look at the source code of the xfce4-mime-helper application it was noted that an insecure string replace
is used to build the firefox or thunar command.
More specifically, templates are used to build the final command. This is illustrated in the code snippet below.
With reference to the above PoC
/snap/bin/firefox "%s". The code below replaces
%s with the attacker-controlled
URL resulting in:
/snap/bin/firefox "http://example.org" --private-window""
/* parse the command */ command = !xfce_str_is_empty (real_parameter) ? xfce_str_replace (commands[n], "%s", real_parameter) : g_strdup (commands[n]); succeed = g_shell_parse_argv (command, NULL, &argv, &err); g_free (command);
xdg-open is usually executed when a user clicks on a link in an application like a PDF viewer or document writer.
Therefore this issue can be exploited when a victim clicks on a malicious link in a specially crafted PDF document.
In Firefox the CLI argument
--remote-debugging-port opens a TCP port on a local interface for debugging purposes.
Using the argument
--remote-allow-origins http://attacker.com the attacker-controlled origin is allowed to connect to the local debugging port.
A sample PDF document is attached evil.pdf.
Robin Peraglie, Johannes Moritz