FUD about security and file extensions (was Re: Why file content sniffing sucks)

Some people are telling that if we use file suffixes to determine MIME
types, GNOME will have the same vulnerabilities that Windows has. This
is not true.

The bugs present in Micros~1 Windows are not due to file type detection
by suffix. 

The vulnerabilities exist because of the way it is implemented. 

Some Windows applications implement their own file type detection
mechanism and then, after detecting, instead of looking for an
application to open the file and running it, it calls a shell function
(something like ShellRun()) to open the file. The problem is that this
function determines the file type *again*, in a different manner (the
correct one) and decides how to run it regardless of what the
application thinks about the file type. So, many applications (most
notably mail clients and web browsers) detect a file as a .jpg and then
calls 'ShellRun()' to open it. ShellRun() then detects that the file is
an executable and runs it gracefully.

This issue and others such as:

1. Executables' ability to provide embedded icons
2. Windows behavior of hiding file extensions (ie. 
   mypicture.jpg.exe appears as mypicture.jpg in the default setup).
3. Direct file execution by double-clicking

are responsible for the vulnerabilities.

To avoid such vulnerabilities in GNOME and Nautilus, some
countermeasures must be taken:

1. Consistent file type detection between applications.

2. Distinction between opening files and directly running programs.

	2.1. *Do not* associate script files with their parsers
		2.1.1. .pl, .tcl, .py, .sh, etc. If you want to 		       run a script,
create a launcher for it.

	2.2. Do not run executables directly by double-clicking. No 
	     one uses nautilus to do this. Nautilus is intended to 
	     manage files, not to run programs. 

		2.2.1. Executables must be run only through launchers or
		       through associated files.

3. There must be a *clear* and visible way to help users tell a launcher
(.desktop file) from a regular file. Today there is the vulnerability
that allows me to send you a .desktop file with a "mypicture.jpg"
caption and a JPEG icon that calls "rm -rf /" when double-clicked. It is
impossible to the user to tell a file from a specially-crafted .desktop
file. This is a major security issue. And it has already been
demonstrated in GNOME mailing lists a long time ago.

This topic has already been discuted but it did not generate many

We must elaborate and organize these ideas. This e-mail I am writing is
a complete mess.

Em Qua, 2003-12-24 ās 15:36, Colin Walters escreveu:
> On Wed, 2003-12-24 at 11:25, iain wrote:
> > Hmmm, dunno, dunno, oh jpg...whoops, no, it was an executable trojan
> > renamed to a jpg to trick me into running it.
> What do you mean, "trick you into running it"?  If Nautilus detects it
> as a JPEG due to the .jpg extension, it's not going to give you the
> option to execute it as a binary.
Fabio Gomes de Souza <fabio gs2 com br> (+55 81 9127-0597)

|- IT Infrastructure :: Security :: Embedded systems :: Linux
`- Olinda, Brazil - +55 81 3492-7777 - negocios gs2 com br

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]