In many X11 desktop environments, links to applications are usually represented by files which have the desktop extension in their names. These files, internally, have a format similar to INI files and specify information such as the command to execute and the icon used when representing it. They do not need to have execution permission and may run programs when they are clicked or doubleclicked (depending on your setup). The security implications of this have been already discussed many times before, in places like Linux Weekly News, but I think it hasn’t received enough exposure.
Traditionally, people consider Unix systems more secure for several reasons, one of them being that the ability to execute a program depends on the program having execution permissions, instead of depending on the file extension like Windows systems do. Usually I don’t take these comments seriously, because the weakest point in the system security is the user, in my humble opinion. Many people are simply so dumb that if they receive an email message from someone they may not even know, they might follow the instructions in it, including saving an attachment to disk and giving it execution permissions if necessary. However, desktop files make this easier, as they don’t need to give it execution permissions. Moreover, the file can disguise itself as an image or audio file, easily deceiving a novice user.
I have created an example file with these contents, and I’ve named the file paris_hilton.jpg.desktop:
[Desktop Entry] Comment=JPEG Image Comment[en_US]=JPEG Image Encoding=UTF-8 Exec=sh -c '>~/paris_hilton.desktop.txt' GenericName=Paris Hilton Nude GenericName[en_US]=Paris Hilton Nude Icon=image MimeType= Name=paris_hilton.jpg Name[en_US]=paris_hilton.jpg Path=/ StartupNotify=false Terminal=false TerminalOptions= Type=Application X-DCOP-ServiceType= X-KDE-SubstituteUID=false X-KDE-Username=
I sent it to myself by email and tried to see what happens when you receive it as an attachment. KMail is nice enough not to let you run the file directly, and represents the attachment with the icon reserved for programs (a gear). It also displays the full name, including the desktop extension. On the other hand, if I click on Save As and save it to my desktop, the file is then represented by the image icon, with the icon name paris_hilton.jpg. If I “activate” it, the program in the Exec line is run, and a file is created in my home directory. And there lies the danger, because the Exec line can run literally anything, including any Perl or Python program, for example. It can write or read anything from your home directory and maybe other places. It can be as complex as the creator wants. It can create a file on disk with a Paris Hilton image, detect which desktop environment you’re running and display the image with the default image viewer while, in the background, it continues to run and do all sorts of nasty things. It could write a script to your Autostart directory that will send spam or listen on a high port. This is potentially very dangerous because, I repeat, there’s no need to give it execution permissions at any point. Simply save it to your desktop and click on it. So, X11 desktop users, we should be careful. This is not as easy as running it directly from the mail client but it’s only a few more clicks away.
Other types of files
Thinking about my previous post, I wondered what happens when you try to do something similar with a Kommander script. In this case, the security implications only affect people with KDE installed and kmdr-executor associated to the kmdr file extension, which is the default under KDE, as far as I’ve seen. Kommander is also nice in the sense that it performs several security checks. The Kommander script is displayed in KMail with its own icon, and it’s not a gear in the Crystal icon set I use, which makes it harder to identify as a program. Furthermore, when you click on the attachment icon you are given the option of running it directly with kmdr-executor. After I clicked on this option, I got a warning dialog with the following text:
This dialog is running from your /tmp directory. This may mean that it was run from a KMail attachment or a webpage. Any script contained in this dialog will have write access to all of your home directory; running those dialogs may be dangerous: are you sure you want to continue?
And the options are Run Nevertheless and Cancel, the first one being the default option (I think that’s wrong). I can only conclude that Kommander scripts are also potentially dangerous. If you’ve seen novice users at a computer you may agree with me.
Other script files, like files with the pl extension for Perl or the py extension for Python do not have these problems. They can’t choose their own icon or name, like desktop files, and need execution permissions. At least on KDE, there’s no way of running those programs by clicking of them. All the file associations they have are meant to open them with a text editor. If a user wants to run them, they need to save them to their hard drive, give them execution permissions and/or open a terminal window to run them from there.
Update: When I said that there’s no way in KDE to launch a Perl or Python script by only clicking, I meant by default. Of course, you can (at your own risk) set up an association between those file extensions and the interpreters. Second, I forgot to mention it’s indeed possible to launch an attached Perl or Python script directly from the mail client in a default setup. In KMail, you have to right-click on the file and choose Open with…, and then type perl or python in the program selection screen. However, if you want to trick a user into doing this you’d have to include instructions for several mail programs because the mechanism may be different. Kommander scripts and desktop files may trick a lot of users. Instructions to save the file on disk and give it execution permissions will probably trick much less people, and this last idea would probably trick an intermediate number of people. I don’t think they’re as dangerous as Kommander files and, especially, desktop files.