Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
On Wednesday 19 January 2005 04:45, David Mandelberg wrote: Attached. Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. Hmm, attached a screenshot how every MUA should handle this. With this display, no attachment ever could fake its way into naive[1] users brains. Regards, David [1] naive != stupid attachment: kmail.png
Re: .desktop arbitrary program execution
Rick Moen wrote: Quoting David Mandelberg ([EMAIL PROTECTED]): Attached. Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. I'm sorry, but the question was: Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary or script attachment. I'll very interested to read your specific report that details an actual, reproducible test. You appear to have answered some question I didn't ask. You also asked a question about something I didn't say (I said that the person had to open it). -- -BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/CM$/CS$/CC/IT$/M/S/O/U dpu s+:++ !a C++$C+++$ UB+++$L$*-- P+++$ L+++()$ E-(---) W+++$ N(+) o? K- w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)$ t? 5? X? R tv--(-) b++(+++)@ DI? D? G e- h* r? z* --END GEEK CODE BLOCK-- David Mandelberg [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution
* Rick Moen: Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary or script attachment. mutt and Gnus are, in typical configurations. Most distributions kindly add all these helpful mailcap entries. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution
On Wed, Jan 19, 2005 at 12:49:57PM +0100, Florian Weimer wrote: * Rick Moen: Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary or script attachment. mutt and Gnus are, in typical configurations. Most distributions kindly add all these helpful mailcap entries. my mailcap file (made by Debian installation) doesn't have any of this capabilities. Cannot verify for others distributions but that's a Debian list here anyway ... -- Vincent Hanquez -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution
Florian Weimer [EMAIL PROTECTED] wrote: mutt and Gnus are, in typical configurations. Most distributions kindly add all these helpful mailcap entries. Could you point out a mailcap entry that causes the file to be *executed*? Because running gqview $file.jpg is very different from running $file.jpg and you would do it (with the viewer of your choice) just the same but by hand, with less helpful MUAs. Just curious. -- Florent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution
* Florent Rougon: Florian Weimer [EMAIL PROTECTED] wrote: mutt and Gnus are, in typical configurations. Most distributions kindly add all these helpful mailcap entries. Could you point out a mailcap entry that causes the file to be *executed*? For complex file formats, there is no clear distinction between opening a file and executing it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution
On Wed, Jan 19, 2005 at 04:29:46PM +0100, Florian Weimer wrote: For complex file formats, there is no clear distinction between opening a file and executing it. Sure there is. For some filetypes execution is an intended effect; that is, you expect arbitrary code to run. For other filetypes there's an unexpected side effect that allows arbitrary code to run. In the second case there's a bug that can be fixed. In the first case you just don't execute the file if it's from an untrusted source. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution
Quoting Florian Weimer ([EMAIL PROTECTED]): mutt and Gnus are, in typical configurations. Most distributions kindly add all these helpful mailcap entries. Perhaps you need assistance comprehending the word specific (used twice in my question)? I await with interest your achieving that rarefied state. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution
Rick Moen wrote: Quoting David Mandelberg ([EMAIL PROTECTED]): You also asked a question about something I didn't say (I said that the person had to open it). Actually, no, you didn't. (Presumably you intended to, though.) Your question spoke of opening a particularly-named attachment: You left unstated who or what was supposed to be doing the opening. Since this was in the context of MUAs, I inferred that you meant the MUA doing it -- that being a standard application-security problem. Specifically, you said: Do you mean to say that opening message.txt\t\t\t.desktop which happens to be a freedesktop.org compliant launcher for the program rm -rf $HOME is safe because it's designed for people running one of the F/OSS products GNOME or KDE on a F/OSS OS? Since (it turns out) you meant people _manually_ shooting themselves in the foot, that is indeed a different scenario from what I thought you meant. So, I'm sorry for inadvertantly stepping on your scenario, but it was an honest and straightforward interpretation of what you said. Ok, I guess I should be more clear with my use of language next time, sorry. -- -BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/CM$/CS$/CC/IT$/M/S/O/U dpu s+:++ !a C++$C+++$ UB+++$L$*-- P+++$ L+++()$ E-(---) W+++$ N(+) o? K- w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)$ t? 5? X? R tv--(-) b++(+++)@ DI? D? G e- h* r? z* --END GEEK CODE BLOCK-- David Mandelberg [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
Rick Moen wrote: Quoting David Mandelberg ([EMAIL PROTECTED]): Do you mean to say that opening message.txt\t\t\t.desktop which happens to be a freedesktop.org compliant launcher for the program rm -rf $HOME is safe because it's designed for people running one of the F/OSS products GNOME or KDE on a F/OSS OS? Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary or script attachment. I'll very interested to read your specific report that details an actual, reproducible test. Attached. Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. This one is pretty harmless (it just echo's rm -rf $HOME and pauses), but if it had Terminal=false, had the OOo writer icon, a title of something.sxw and actually rm -rf'd $HOME, it would look like a broken OOo document while cleaning some poor newbie's $HOME. -- -BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/CM$/CS$/CC/IT$/M/S/O/U dpu s+:++ !a C++$C+++$ UB+++$L$*-- P+++$ L+++()$ E-(---) W+++$ N(+) o? K- w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)$ t? 5? X? R tv--(-) b++(+++)@ DI? D? G e- h* r? z* --END GEEK CODE BLOCK-- David Mandelberg [EMAIL PROTECTED] message.txt .desktop Description: application/desktop
Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
Quoting David Mandelberg ([EMAIL PROTECTED]): Attached. Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. I'm sorry, but the question was: Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary or script attachment. I'll very interested to read your specific report that details an actual, reproducible test. You appear to have answered some question I didn't ask. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
On Tue, 18 Jan 2005, David Mandelberg wrote: Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. that'd be dumb of the user This one is pretty harmless (it just echo's rm -rf $HOME and pauses), but if it had Terminal=false, had the OOo writer icon, a title of something.sxw and actually rm -rf'd $HOME, it would look like a broken OOo document while cleaning some poor newbie's $HOME. that be even dumber of the user .. and it is a known problem from 15-20 years ago .. - don't click or execute commands you do nto know what it will be doing - even simple things like ls, tar, cat can be renamed ( cracked ) to something more painful - it not a security issue ... and is unsolvable, not preventable if you click on things or execute commands manully - the super paranoid might be using encrypted fs with md5 of their commands before executing cat foo c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]