Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian, Gnome Patched 'Bad Taste' VBScript-Injection Vulnerabilities (neowin.net)

Posted by EditorDavid on from the thanks-Microsoft dept.

Slashdot reader KiloByte warned us about new exploit for .MSI files named "bad taste". Neowin reports: A now-patched vulnerability in the "GNOME Files" file manager was recently discovered which allowed hackers to create dodgy MSI files which would run malicious VBScript code on Linux... Once Nils Dagsson Moskopp discovered the bug, he reported it to the Debian Project which fixed it very rapidly. The GNOME Project also patched the gnome-exe-thumbnailer file which is responsible for parsing MSI and EXE files inside the GNOME Files app... If you run a Linux distribution with the GNOME desktop it's advisable to run the update manager and check for updates as soon as possible before you become affected by this critical vulnerability.

26 of 72 comments (clear)

  1. "Bad taste" by Anonymous Coward · · Score: 1, Funny

    Well! That certainly explains systemd!

  2. WTF? by Anonymous Coward · · Score: 2, Interesting

    Who infected the festering heap that is Gnome to run VBscript?

    1. Re:WTF? by arglebargle_xiv · · Score: 3, Funny

      Oh for fsck's sake, we're now virus-compatible with Windows?

  3. Requires WINE? by HalAtWork · · Score: 3, Interesting

    How exactly does the VBScript execute on a default Linux distro? Can anything other than VBScript get injected?

    --
    Twinstiq, game news
    1. Re:Requires WINE? by Nutria · · Score: 1

      Not just Wine, but also Winetricks.

      From http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html/:

      If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.

      --
      "I don't know, therefore Aliens" Wafflebox1
    2. Re:Requires WINE? by KiloByte · · Score: 4, Informative

      Nope, Wine itself is enough, at least on installations which I looked at.

      In the other hand, the exe thumbnailer is not an official Gnome project but comes from Ubuntu -- so with all of Gnome's insanities, this one is not their fault.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:Requires WINE? by alvarogmj · · Score: 1

      It's a shame you posted this as an AC, because most people won't see it by default.

      I fully agree with the 5 points you mentioned, and I write this as somebody who has written his share of hundred-lines-long shell scripts. Point 5 is the first thing I thought when I read the description of the problem: "why the hell are you trying to parse an MSI just to show an icon, while in Linux? what is the benefit of doing it?".

      Another idea is: did this code pass a code review? I know this is open source and people works in what they like, when they feel like it, but for a project as big as gnome, I would expect code reviews to be a part of the process. Somebody should have seen the commit which "solved" the problem and said something like "this is not acceptable, let's put this minor feature in the backlog and solve it once it is possible to do it in a sane way".

      This is a bug which should dissapoint every developer in the project, because it feels amateurish, it doesn't feel like something that should happen in one of the biggest, most successful open source software projects.

  4. Mission Accomplished! by nt2ldap · · Score: 4, Insightful

    Looks like the Gnome Project has finally arrived: after years of bending and twisting to get Windows-like behavior out of the Linux desktop (you know, the "sad face" screen that appears when it crashes, oh wait... that would be MacOS!), they've finally done one better -- made Linux vulnerable to Windows malware. This time the trade off was decorations for security. Having already banned smb from our networks, we thought we were safe. Maybe it's time to look for a new DE. I think twm is still in the Fedora repo...

  5. What the heck? by 93+Escort+Wagon · · Score: 1

    Admittedly it's been over a decade since I used a desktop version of Linux, but - is the ability to run VBScript part of the default Gnome installation nowadays? And, if so... what idiot (or group of idiots) decided that was a good idea?

    --
    #DeleteChrome
    1. Re: What the heck? by Zero__Kelvin · · Score: 4, Informative

      No. It isn't the default. You need to install wine. IOW if you are using Linux, and not adding support for Windows garbage, then you have nothing to worry about.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    2. Re: What the heck? by chipschap · · Score: 1

      The other important point to note is that the vulnerability has already been patched. Not security by obscurity, not denial, not "we'll fix it on Patch April Fool's Day" --- it's done.

    3. Re: What the heck? by Zero__Kelvin · · Score: 1

      Another interesting thing to note is the morons latching on to this one already fixed issue and claiming it means Linux is dead and all the good developed are moving or have moved to Windows :^)

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  6. Here's why it works: by GerbilSoft · · Score: 4, Informative

    gnome-exe-thumbnailer is a shell script that uses Wine to do the actual thumbnailing. The script uses Wine's VBScript interpreter to run a small VBScript to extract the icon.

    The malicious MSI therefore ends up tricking gnome-exe-thumbnailer into running arbitrary VBScript.

    1. Re:Here's why it works: by Anonymous Coward · · Score: 3, Insightful

      The script uses Wine's VBScript interpreter to run a small VBScript to extract the icon

      ... why?

    2. Re:Here's why it works: by HyperQuantum · · Score: 1

      The malicious MSI therefore ends up tricking gnome-exe-thumbnailer into running arbitrary VBScript.

      This looks to me like the script equivalent of an SQL injection attack. In an SQL injection, unverified text is copied into an SQL query, which allows an attacker to execute arbitrary SQL commands. In this 'bad taste' vulnerability, a filename (which can contain almost any possible character) is copied into a small VB script, allowing an attacker to execute arbitrary VB script code simply by giving a file a carefully crafted name.

      Aside from the injection vulnerability, this particular version of the attack would not be possible if there had been some extra restrictions on what characters are permitted to be used in filenames (on Linux). Scripting would be a lot easier if one did not have to account for the possibility that people use double quotes, newline characters or even stranger things in filenames. Sadly, there are those who oppose any restriction on which characters can be used in filenames, simply because they want to be able to abuse the filesystem as a cheap hash table with raw binary data as filenames.

      --
      I am not really here right now.
  7. Yes/No/Maybe by iYk6 · · Score: 1

    It looks like it might execute on a default distro, but it depends which packages you have installed. A heavy distro such as Ubuntu might have these packages by default.

    The summary has a link to a good description of the bug from the bug's founder. It looks like the poorly written line is specifically intended to execute VBScript, so I doubt you could use another scripting language or executable binary. However, you could use VBScript to write arbitrary content to .bashrc, which you could cause to download an arbitrary binary and execute it.

  8. Linux is nothing but a disappointment these days. by Anonymous Coward · · Score: 3, Insightful

    I'd been a Linux user for a very long time. I'd started with Yggdrasil before moving to Debian. For most of the 1990s and even up until about 2008 or 2009, I felt proud to use Linux.

    During that period I used to watch friends, family and coworkers use Windows. They'd suffer from BSODs. They'd suffer from malware infections. But my Linux installations were the opposite. I never experienced crashes. I never experienced security problems. Linux of that era was robust and trustworthy.

    But those days are long gone. It's a real shame what Linux has become. To be fair, the kernel isn't too bad. But almost everything around the kernel has gone to hell.

    It got to the point where I had nothing but trouble with almost every aspect of a typical desktop Linux installation. Systemd caused me numerous problems. If I was lucky enough to get past those, then it would be PulseAudio or NetworkManager that weren't working. If I got them working, or just ignored that they were broken, I was faced with the awful GNOME 3 environment, unless I went out of my way to install KDE (which isn't much better) or Xfce. Even then, installing 3D graphics drivers was always so risky. Most of the time I found they just wouldn't work.

    I still can't believe how quickly it all went to hell. Just compare a modern Linux desktop installation to macOS, or even Windows 10. The Linux installation will feel amateurish and fragile.

    Now, I have to admit that Linux has seen some success on mobile devices. But that's also a very interesting situation. Linux only became popular in the case of Android because they didn't use systemd, X, GNOME, GTK+, or much of the existing infrastructure of a typical Linux distro. It was all discarded and replaced with custom software. It's difficult to call Android "Linux", when the kernel is buried so deeply. There are probably app developers who have no idea that the Linux kernel is down there.

    If you had asked me in 2005 how I thought Linux would be doing a decade or more later, well, I wouldn't have imagined it to be anything like it is now. I never would have guessed that something as anti-UNIX and Windows-like as systemd would end up in Debian. I never would have guessed that GNOME 3 would be such a disaster. I never would have guessed that X wouldn't have progressed much. I never would have guessed that macOS and Windows were objectively better OSes.

    Linux is nothing but a disappointment these days. I wish that wasn't the case, but it unfortunately is how it is.

  9. Re:Linux is nothing but a disappointment these day by Anonymous Coward · · Score: 5, Insightful

    Linux of that era was robust and trustworthy.

    It wasn't, you just believed that it was.

    Grab a fresh install of that vintage, and the NSA and every script kiddie from here to eastern Europe will have three dozen working exploits for it.

    Linux at the time was a VERY unimportant target. It wasn't established in the server space yet, and it was all but zero percent of the desktop. It wasn't worth bothering with.

    Now that it is, if you use a Linux of that vintage it can be pwned with little more difficulty than Windows 95.

    Any OS requires constant security updates to stay in the game.

  10. Re: Linux is nothing but a disappointment these da by Anonymous Coward · · Score: 1

    Your comment is a good example of why open source software in general is in such a sad state these days. When long time users point out very real and very unacceptable problems involving open source software, they're immediately mislabeled as "trolls", or they're attacked in some other way.

    We've seen this within the Firefox community. We've seen this within the GNOME 3 community. We've seen this within the systemd community. We've seen this with the Debian community.

    It shouldn't surprise us that things have gotten so bad. Many of the best open source contributors have been driven away from the Linux-oriented open source projects. They've moved to OSes like FreeBSD, macOS, and even Windows, because those OSes offer a far superior experience. The developers who remain are the flotsam of the open source community.

    He were are talking about an exploit affecting GNOME and Linux, and it uses goddamn VBScript of all things! Yet you have the gall to say that the situation "just keeps getting better."

    Maybe you're too naive to realize this, but something is very, very, very, very inexcusably wrong when in 2017 a VBScript exploit is affecting GNOME and Linux! That's the sign of a very unhealthy ecosystem. The situation is obviously not "getting better".

  11. This vulnerability is inexcusable. by Anonymous Coward · · Score: 5, Insightful

    This was a VBScript exploit affecting GNOME and Linux in 2017. Think that through. Let it sink in.

    Just because it may have been fixed doesn't make this incident acceptable.

    It never should have happened in the first place!

    Everything about this incident is wrong, and extremely shameful.

    It is an indication of just how rotten the Linux and GNOME development communities have gotten lately.

  12. Re:Linux is nothing but a disappointment these day by sombragris · · Score: 3, Insightful

    I'd suggest you use Slackware. Solid and stable like a rock; and also, fast. The price to pay is that you usually should have a modicum of technical competence; which you appear to possess, given the distro history you claim. Try it; if you really are disappointed by what you mention in your comment, chances are these are nonexistent or highly mitigated in Slackware (for example, there's no systemd; init is a simple, easy to understad BSD init with a SysV compatibility layer for those who would want it).

    --
    -- Look to the Rose that blows about us--"Lo, Laughing," she says, "into the World I blow..."
  13. One question by viperidaenz · · Score: 1

    Why does a thumbnail extractor have the capability to run any sort of code?

  14. Re:Here's a much better question: by 0123456 · · Score: 2

    A better question is, why do we need thumbnail preview at all? It's a huge attack surface that doesn't even require you to open a file to get infected. Not to mention a huge performance hog.

    Oh, yeah, because Windows has been doing it for years.

  15. Re:Here's a much better question: by GerbilSoft · · Score: 1

    Looking through gnome-exe-thumbnail, it overlays the program's version number on top of the icon. Windows doesn't do this, but Windows Explorer will show the program version in the properties panel on the bottom of the window and in the file properties page.

  16. Re:Here's a much better question: by tlhIngan · · Score: 1

    A better question is, why do we need thumbnail preview at all? It's a huge attack surface that doesn't even require you to open a file to get infected. Not to mention a huge performance hog.

    Oh, yeah, because Windows has been doing it for years.

    Well, thumbnail previews are helpful for the common case of a collection of photos in a directory. Perhaps you're totally organized and categorize the heck out of every digital photo you take, but most people are not, and it's nice to open a folder of photos and quickly glance and see what they're about than to see generic icons and open each one to see what the file is inside.

    It's a user thing. It's why complex beasts like NetworkManager, Pulse Audio and SystemD exist - because no amount of "simple scripting" can get around fundamental limitations of the "keep it the Unix way".

    In fact, why do shell scripts in sysvinit ... reimplement init? The default init that sysvinit uses already handles daemonizing really well, and if daemons die, it can easily restart them. In fact, if they die too quickly, init will stop spawning it for 5 minutes. And to heck with S/K scripts, since init handles runlevel invocations as well. The only reason I can see is that editing inittab is too hard, but we seem to make do with other files like passwd and such.

    And users like NetworkManager - because things like WiFi screw up the networking model Unix created. (Just because you connect to WiFi, doesn't mean you want the same settings for WiFi - perhaps you connect to public WiFi and want a VPN, while corporate WiFi you don't. And then there's multiple connections...).

    And Pulse Audio is a pain, but necessary to accomplish some tricky audio routing issues. For example, take a standard PC with a sound card. It's playing music or a video, and there's a VoIP app running in the background. The user wants to take the call, so they plug in their headset via USB or Bluetooth, and the VoIP app's audio needs to move to the new sound device transparently - the app shouldn't need to close and reopen (or even know a new audio device was added). Yes, it works in Windows when people insist on using voice with Skype (I normally just use speakers and built in microphone, but if there are people around, a headset gets better privacy. But I don't have a headset - I borrow one from my manager since work doesn't provide me with one and I don't use one enough to justify the expense. I plug it in, and magically, the call is routed to them and I can chat in privacy).

    Oh yes, the audio from the existing music player or video player must NOT be routed to the headset, either.

    Feel free to try to implement these two basic use cases with shell scripts.

  17. Re: Linux is nothing but a disappointment these da by Brockmire · · Score: 1

    My experience with Linux has been the opposite going back to the 90's. Finding drivers and building kernels was a major fucking pain. I'd spend weekends trying to get a distro running, only to have a few showstoppers. Everything was command line shit. Everything required modification. You didn't just end up with a 30 minute install with all drivers installed with default install media. Video capture was a fucking nightmare. I remember Ubuntu at work couldn't be upgraded or backed up for having too many fucking inodes! It's a fucking file server! Aside for some bad lxle installs, the typical Linux default install just works with all drivers found. Since systemd, I found it easier to setup new boxes and not have to fucking learn how to script start every service on half a dozen distros.