Crazy bug of the week: Gnome Files' .MSI parser runs evil VBScripts

Grab a fix now


Gnome developers, take a bow: a bug in your image thumbnailer has opened up a (not too scary, thankfully) hole for script injection.

The security vulnerability was revealed this week by Nils Dagsson Moskopp here, and his advice for users is:

“Delete all files in /usr/share/thumbnailers. Do not use GNOME Files. Uninstall any other software that facilitates automatically executing parts of filenames as code” (our emphasis added).

Here's the rub: while creating thumbnail images, Gnome Files can, if you have Wine installed, accidentally execute parts of some filenames as if they were in a script – and that's problematic. Specifically, we're talking about .MSI files, aka Windows software installer packages: when you see one in Files, Gnome's software tries to make a thumbnail for it, and if there's any VBScript code in the filename, it may get executed. Damn.

Imagine downloading a ZIP archive, and it unpacks a .MSI with a malicious filename. Bam, Gnome Files executes that code before you've clicked on anything else – if you have a viewer open for that directory, of course.

Here's where it gets weird: Gnome's thumbnail generator for .MSI files uses Wine to parse the contents of the installer file. The generator crafts a custom temporary script to run within Wine that looks inside the .MSI and pulls out information and stuff to create the thumbnail. But due to a programming blunder, VBScript in the filename can end up being executed, too.

“Whenever an icon for a Microsoft Windows executable (EXE), installer (MSI), library (DLL), or shortcut (LNK) should be shown, Gnome Files calls /usr/bin/gnome-exe-thumbnailer to either extract an embedded icon from the file in question or deliver a fallback image for the appropriate filetype,” said Dagsson Moskopp.

He picks out this single line of code in /usr/bin/gnome-exe-thumbnailer as the culprit:

DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo Z:\\tmp\\${TEMPFILE1##*/}.vbs 2>/dev/null \

He went on to explain:

“Instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine. The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution.”

Dagsson Moskopp says developers should not use “ad-hoc parsers” to parse files, should “fully recognise inputs before processing them”, and should use unparsers.

This issue has now been addressed by using a proper MSI parser rather than screwing around with scripts and Wine: make sure you fetch and install the latest updates for Gnome Files as soon as they land. If you don't have Wine installed, you're not at risk, of course. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say

Biting the hand that feeds IT © 1998–2017