Malware Threat To GNOME and KDE

commandlinegamer writes "foobar posted on his blog recently about 'How to write a Linux virus in 5 easy steps,' detailing potential malware infection risks in the .desktop file format used by GNOME and KDE. This is not a new threat, and it appears to still be a risk, as discussions in 2006 did not seem to come to any firm conclusion on how to deal with the problem." There's a followup on LWN.

Re:Protect your self with encryption

[JesseMcDonald]

Why do shortcuts need to have the ability to run code?

The shortcut only contains parameters for the path to the application and a list of parameters; it doesn't run any code itself. The problem is that the application can be (e.g.) /usr/bin/perl, and the parameters "-e 'perl code here'". Removing this ability would seriously impact the usefulness of the shortcuts.

The real issue is that the DEs are blindly trusting a non-executable file of unknown source to provide this information. The solution has already been suggested: turn all .desktop files into scripts (via a #! line, which is already valid comment syntax), mark them as executable, and have the DE run them like any other executable file. Non-executable .desktop files which link to applications would be displayed as usual, but would be treated as documents rather than launchers.

Did you even RTFA?

[brunes69]

He is not talking about shell scripts at all. The whole point of the article is a .desktop file does not need to be +x to execute it, KDE and Gnome execute commands in it automatically regardless. So all they have to do is save it and click on it.

Re:Solution

[Ed+Avis]

The best you can do is be aware, vigilant, and choose software that has less vulnerabilities and whose writers work hardest to correct the problems fastest.

Which in this case is unlikely to be GNOME or KDE, since this attack has been known for several years and absolutely nothing has been done about it (it's "expected behaviour").

Re:Protect your self with encryption

[Ed+Avis]

Yeah it's pretty straightforward: if the executable bit is not set then the file is merely *displayed* as a plain text file. If the executable bit is set then it is *run*.

That means you cannot simply save an attachment from a message and run it. You can however display it, which is fine.

Everything works like this except for .desktop files, which because of an oversight, default to *running* on double-click even if not marked executable. Hence the attack vector. It is made nastier by the fact that .desktop files can disguise themselves with a name and icon of their choosing.

They won't listen

[diegocgteleline.es]

I filed a bug warning of this security problem on March, 2005. Final answer of the developers after taking it to the freedesktop lists: WONTFIX. So, what's the point of reporting bugs?...

The fix is easy, only interpret .desktop files IFF they have the +x bit set (IOW, apply the regular UNIX semantics). It shouldn't take more than a few lines in Gnome and KDE to fix it, and distros can easily modify the scripts to make all the .desktop files +x-

Re:Solution

[Ed+Avis]

The vulnerability is in the way the desktop environment hides information from the user so you have no way (even if you are an experienced and responsible user) to avoid executing the malware. You get an attachment by mail, you just save it to look at it and see what it is (a one-click, and expected-safe operation) but when it appears on the desktop background, it's disguised as something else (the .desktop file can choose any icon and name it wants), and double-clicking to view the file in fact *executes* the code without asking you.

What should happen: you save the file; if you chose to save it to the desktop background it appears there, but because it's not marked executable it will not run when you double-click it. Instead the file contents open in a text editor, or some other fairly boring but safe action.