Dubbed Bad Taste, the vulnerability (CVE-2017-11421) was discovered yesteryear German linguistic communication researcher Nils Dagsson Moskopp, who also released proof-of-concept code on his weblog to demonstrate the vulnerability.
The code injection vulnerability resides in "gnome-exe-thumbnailer" — a tool to generate thumbnails from Windows executable files (.exe/.msi/.dll/.lnk) for GNOME, which requires users to get got Wine application installed on their systems to opened upwardly it.
Those who are unaware, Wine is a complimentary in addition to open-source software that allows Windows applications to run on the Linux operating system.
Moskopp discovered that piece navigating to a directory containing the .msi file, GNOME Files takes the filename equally an executable input in addition to run it inward club to create an ikon thumbnail.
For successful exploitation of the vulnerability, an assaulter tin shipping a crafted Windows installer (MSI) file amongst malicious VBScript code inward its filename, which if downloaded on a vulnerable organization would compromise the machine without farther user interaction.
"Instead of parsing an MSI file to larn its version number, this code creates a script containing the filename for which a thumbnail should hold out shown in addition to executes that using Wine," Moskopp explains piece demonstrating his PoC.
"The script is constructed using a template, which makes it possible to embed VBScript inward a filename in addition to trigger its execution."The flaw tin hold out exploited yesteryear potential hackers using other assail vectors equally well, for example, yesteryear straight inserting a USB-drive amongst a malicious file stored on it, or delivering the malicious file via drive-by-downloads.
How to Protect Yourself from Bad Taste
Moskopp reported the vulnerability to the GNOME Project in addition to the Debian Project. Both of them patched the vulnerability inward the gnome-exe-thumbnailer file.
The vulnerability affects gnome-exe-thumbnailer earlier 0.9.5 version. So, if you lot run a Linux OS amongst the GNOME desktop, banking firm jibe for updates forthwith earlier you lot larn affected yesteryear this critical vulnerability.
Meanwhile, Moskopp also advised users to:
- Delete all files inward /usr/share/thumbnailers.
- Do non role GNOME Files.
- Uninstall whatever software that facilitates automatically execution of filenames equally code.
Moskopp also advised developers to non role "bug-ridden ad-hoc parsers" to parse files, to "fully recognise inputs earlier processing them," in addition to to role unparsers, instead of templates.
