This is done via the following functions/programs: to open the default mail application for a `mailto:` link). # Root cause: user-supplied URLs opened by the OSĪ common way to open files and links from a native desktop application is by passing a URI to the operating system to handle (e.g. (#introduction) - (#root-cause-user-supplied-urls-opened-by-the-os) - (#finding-vulnerable-features-is-straightforward) - (#operating-systems-and-desktop-environments-have-different-url-opening-behaviors) - (#windows-10-19042) - (#xubuntu-2004-xfce) - (#other-linux-operating-systems) + (#snap) - (#mac-catalina-10156) - (#vulnerabilities) - (#nextcloud) - (#telegram) - (#vlc) - (#open-libreoffice) - (#mumble) - (#bitcoindogecoin-wallets) - (#wireshark) - (#bonus-vulnerability-winscp) - (#systematic-mitigation-requires-contributions-from-os-framework-and-application-maintainers) - (#conclusion) As an example, here is what exploitation of this issue in Nextcloud (< 3.1.3) on Xubuntu 20.04 looks like:Īfter explaining the root cause, vulnerable patterns and oddities of different OS’s and desktop environments, we’ll explore how this vulnerability type can be exploited in various popular desktop applications. The required user interaction and exploitation strategy depends on the desktop environment and whether the application was hardened, for instance, with a URI-scheme allow/block list. In this post, we show code execution vulnerabilities in numerous desktop applications, all with the same root cause: insufficient validation of user input that is later treated as a URL and opened with the help of the operating system.
) is opened, or an additional vulnerability in the opened application’s URI handler is exploited - Vulnerabilities following this pattern have already been found in other software, with more expected to be revealed going forward
) hosted on an internet accessible file share (`nfs`, `webdav`, `smb`. MARKDOWN - We found and reported 1-click code execution vulnerabilities in popular software including **Telegram**, **Nextcloud**, **VLC**, **Libre-/OpenOffice**, **Bitcoin/Dogecoin Wallets**, **Wireshark** and **Mumble** - Desktop applications which pass user supplied URLs to be opened by the operating system are frequently vulnerable to **code execution with user interaction** - Code execution can be achieved either when a URL pointing to a malicious executable (`.desktop`, `.jar`, `.exe`.
0 kommentar(er)
