Dubbed Bad Taste, the vulnerability (CVE-2017-11421) was discovered by German researcher Nils Dagsson Moskopp, who also released proof-of-concept code on his blog to demonstrate the vulnerability.
The code injection vulnerability resides in "gnome-exe-thumbnailer" — a tool to generate thumbnails from Windows executable files (.exe/.msi/.dll/.lnk) for GNOME, which requires users to have Wine application installed on their systems to open it.
Those who are unaware, Wine is a free and open-source software that allows Windows applications to run on the Linux operating system.
Moskopp discovered that while navigating to a directory containing the .msi file, GNOME Files takes the filename as an executable input and run it in order to create an image thumbnail.
For successful exploitation of the vulnerability, an attacker can send a crafted Windows installer (MSI) file with malicious VBScript code in its filename, which if downloaded on a vulnerable system would compromise the machine without further user interaction.
"Instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine," Moskopp explains while demonstrating his PoC.
"The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution."The flaw can be exploited by potential hackers using other attack vectors as well, for example, by directly inserting a USB-drive with a malicious file stored on it, or delivering the malicious file via drive-by-downloads.
How to Protect Yourself from Bad Taste
Moskopp reported the vulnerability to the GNOME Project and the Debian Project. Both of them patched the vulnerability in the gnome-exe-thumbnailer file.
The vulnerability affects gnome-exe-thumbnailer before 0.9.5 version. So, if you run a Linux OS with the GNOME desktop, check for updates immediately before you become affected by this critical vulnerability.
Meanwhile, Moskopp also advised users to:
- Delete all files in /usr/share/thumbnailers.
- Do not use GNOME Files.
- Uninstall any software that facilitates automatically execution of filenames as code.
Moskopp also advised developers to not use "bug-ridden ad-hoc parsers" to parse files, to "fully recognise inputs before processing them," and to use unparsers, instead of templates.