Arch Linux

pogeymanz

Member

Registered: 2008-03-11

Posts: 1,020

You know that whole .desktop file security scare?

It goes something like this:
1) Open a malicious email attachment or go to a website with malicious javascript or whatever...
2) A program is downloaded and executed with your permissions
3) It edits ~/.local/applications/synaptic.desktop or whatever other popular program.
4) In the new .desktop file it adds to the run command some nasty key logger, so now when you launch Synaptic (or pacman if someone were to attack Archers) it logs your keystrokes.
5) Now it has your root password and can do whatever it wants.

I just want to know: How likely is this, really??

Can a website seriously just download and run a file without me knowing? I doubt Firefox would let that happen... Or could an email attachment be executed without me being able to read it first? I'm pretty sure it can't...

I don't understand why people seem to be concerned about .desktop files...

I'm not even worried about my Windows machine on my home network. My router is set to reject as much stuff as it can and all computers have remote log-ins disabled. The only security problem I worry about is that my Fiancee's online courses actually send .doc's through the net, which I've heard is bad practice.

moljac024

Member

From: Serbia

Registered: 2008-01-29

Posts: 2,676

Re: You know that whole .desktop file security scare?

Just don't use no silly desktop enviroment and you don't have to worry about no silly .desktop files

---

The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
--------------------------------------------------------------------------------------------------------------
But if they tell you that I've lost my mind, maybe it's not gone just a little hard to find...

toad

Member

From: if only I knew

Registered: 2008-12-22

Posts: 1,775

Website

Re: You know that whole .desktop file security scare?

Don't use no silly computer! Doh...

Seriously, anybody know?

---

never trust a toad...
::Grateful ArchDonor::
::Grateful Wikipedia Donor::

sHyLoCk

Member

From: /dev/null

Registered: 2009-06-19

Posts: 1,197

Re: You know that whole .desktop file security scare?

Just don't use no silly desktop enviroment and you don't have to worry about no silly .desktop files

You want a job at MS tech Support?

---

~ Regards,
sHy
ArchBang: Yet another Distro for Allan to break.
Blog | GIT | Forum (｡◕‿◕｡)

FeatherMonkey

Member

Registered: 2007-02-26

Posts: 313

Re: You know that whole .desktop file security scare?

I've experimented with .desktop in some DE's it will just execute it, some work without the .desktop as well iirc pcmanfm won't but dolphin and konq will even though it is missing the file extension.

http://www.geekzone.co.nz/foobar/6229

Placing files in ~/.config/autostart will make them start regardless of execution bit, and ~/.local/share/applications/name.desktop should turn up as a menu item.

The hard part is getting it on the system that will take user idiocy i.e unzipping an untrusted file to the desktop and clicking it, or accepting a signed applet/web start from a malicious site that has the ability to write on the client. I guess in theory it is possible but would certainly need assistance from the user. I did get out my password by running a strace on a su-gui and with xdg-su in some distro's I suspect it could be written more generically.

csstaub

Member

From: Switzerland

Registered: 2009-02-09

Posts: 37

Re: You know that whole .desktop file security scare?

If an attacker can execute code on your machine there are lots of other things he could do besides messing with a couple of *.desktop files. But yes, in theory this is possible. All it takes is a security hole in your browser or your willingness to download and execute something on your system.

R00KIE

Forum Fellow

From: Between a computer and a chair

Registered: 2008-09-14

Posts: 4,734

Re: You know that whole .desktop file security scare?

What I've read about it has a nasty tweak, a properly crafted .desktop file could launch a dialog asking for your/root password, at that time it wrecks havoc in the system and open the add/remove software, updates or whatever is it disguised to do and the user doesn't realize what just happened.

Of course there is always the other option of running as user and do whatever it can, if the creator is smart and lucky enough he/she will be able to put a nasty payload on the autostart list and the user can have a zombie machine without even knowing.

It doesn't need to break the system to do a lot of damage, wiping or stealing data from the user account is enough. Of course, this has a higher probability of happening if you run and/or install everything you find in untrusted places without proper review first.

The thing is that there are so many distros and so many versions of each distro, each with slightly different settings, DEs, browsers and whatnot that I guess it still isn't worth the bother unlike with platforms where everyone uses the same browser, possibly the default settings that come with a clean system install and worse, no security updates/patches.

Add to this the complete lack of good sense and the common (and somewhat accepted I guess) practice of using cracks and keygens for you know what and you start to understand how come at least some users keep getting the same problems over and over again.

These days with linux it is extremely easy to keep the system up to date with the latest security fixes, users tend to look free alternatives to payed programs and look first in the package manager to see if it is already available, this alone helps a lot, add a dose of good sense and you should be good to go.

---

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Army

Member

Registered: 2007-12-07

Posts: 1,784

Re: You know that whole .desktop file security scare?

I heared about this some time ago. Some guy made a few tests with such a bad desktop file. All file managers opened the desktop file as usual, the only file manager giving a warning was Thunar :-) So dear XFCE users and those who use Thunar in their WM, don't be afraid ;-)

3])

Member

From: Netherlands

Registered: 2009-10-12

Posts: 215

Re: You know that whole .desktop file security scare?

Luckily I run everything via the terminal. Aka, the alt-f2 run dialog and program name.

---

“There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.”-- C.A.R. Hoare

Primoz

Member

From: Ljubljana-Slovena-EU

Registered: 2009-03-04

Posts: 689

Re: You know that whole .desktop file security scare?

Well in KDE any .desktop file has a big red exclamation point on it's icon and before it's started for a first time you get a warning window that show exactly what this .desktop file will do.
So You'll see if it wants to rm -rf your root directory or install some malicious code...
OK I'm not exactly sure I would even recognise the malicious code if ti weren't rm rf or something, but at least it show it to me to arouse my suspicion.

---

Arch x86_64 ATI AMD APU KDE frameworks 5
---------------------------------
Whatever I do, I always end up with something horribly mis-configured.

jwcxz

Member

Registered: 2008-09-23

Posts: 239

Website

Re: You know that whole .desktop file security scare?

1) Open a malicious email attachment or go to a website with malicious javascript or whatever...
2) A program is downloaded and executed with your permissions

I think I found the root of the problem!

---

-- jwc
http://jwcxz.com/ | blog
dotman - manage your dotfiles across multiple environments
icsy - an alarm for powernappers