Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
On Wednesday 19 January 2005 04:45, David Mandelberg wrote: Attached. Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. Hmm, attached a screenshot how every MUA should handle this. With this display, no attachment ever could fake its way into naive[1] users brains. Regards, David [1] naive != stupid attachment: kmail.png
Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
Rick Moen wrote: Quoting David Mandelberg ([EMAIL PROTECTED]): Do you mean to say that opening message.txt\t\t\t.desktop which happens to be a freedesktop.org compliant launcher for the program rm -rf $HOME is safe because it's designed for people running one of the F/OSS products GNOME or KDE on a F/OSS OS? Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary or script attachment. I'll very interested to read your specific report that details an actual, reproducible test. Attached. Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. This one is pretty harmless (it just echo's rm -rf $HOME and pauses), but if it had Terminal=false, had the OOo writer icon, a title of something.sxw and actually rm -rf'd $HOME, it would look like a broken OOo document while cleaning some poor newbie's $HOME. -- -BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/CM$/CS$/CC/IT$/M/S/O/U dpu s+:++ !a C++$C+++$ UB+++$L$*-- P+++$ L+++()$ E-(---) W+++$ N(+) o? K- w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)$ t? 5? X? R tv--(-) b++(+++)@ DI? D? G e- h* r? z* --END GEEK CODE BLOCK-- David Mandelberg [EMAIL PROTECTED] message.txt .desktop Description: application/desktop
Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
Quoting David Mandelberg ([EMAIL PROTECTED]): Attached. Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. I'm sorry, but the question was: Please advise this mailing list of which specific Linux or BSD MUA (or specific configuration thereof) is willing to execute a received binary or script attachment. I'll very interested to read your specific report that details an actual, reproducible test. You appear to have answered some question I didn't ask. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: .desktop arbitrary program execution (was: [SECURITY] [DSA 644-1] New chbg packages fix arbitrary code execution)
On Tue, 18 Jan 2005, David Mandelberg wrote: Save to your GNOME/KDE desktop (like many newbies do) and double click the new icon. .desktop files (currently) don't need the x bit set to work, so no chmod'ing is necessary. that'd be dumb of the user This one is pretty harmless (it just echo's rm -rf $HOME and pauses), but if it had Terminal=false, had the OOo writer icon, a title of something.sxw and actually rm -rf'd $HOME, it would look like a broken OOo document while cleaning some poor newbie's $HOME. that be even dumber of the user .. and it is a known problem from 15-20 years ago .. - don't click or execute commands you do nto know what it will be doing - even simple things like ls, tar, cat can be renamed ( cracked ) to something more painful - it not a security issue ... and is unsolvable, not preventable if you click on things or execute commands manully - the super paranoid might be using encrypted fs with md5 of their commands before executing cat foo c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
