Bad Taste

Because Windows executables haven't wreaked enough damage on Windows computers, now you can use malformed MSI files to run malicious code on Linux systems.

This scenario is possible because of a vulnerability discovered by German IT expert Nils Dagsson Moskopp, which he named "Bad Taste."

Vulnerability resides in thumbnailer script

The vulnerability resides in gnome-exe-thumbnailer, a third-party thumbnailer used by GNOME Files, formerly known as Nautilus, the default file manager/explorer for Linux distros using the GNOME desktop.

Moskopp discovered that he could hide malicious VBScript inside names of MSI files. When the user accesses a folder on his computer where this malicious MSI file is saved, GNOME Files would automatically parse the file to extract an icon from its content and display it in the file explorer window.

The problem is that when parsing the MSI file looking for its icon, the thumbnailer script also reads the filename and executes the code found within.

At the heart of this vulnerability are thumbnailer configuration files located in /usr/share/thumbnailers, which Gnome Files uses to parse files stored on a Linux computer to display icons or generate thumbnails.

Users can protect themselves

To avoid problems caused by the issue he discovered, Moskopp recommends that users delete the all files found in /usr/share/thumbnailers, or stop using GNOME Files for the time being.

Moskopp has published proof of concept code demoing the Bad Taste vulnerability on his blog. His demo code only drops an empty file with the name badtaste.txt on the user's computer, but an attacker could do much more damage.

The researcher told Bleeping Computer he reported the issue to the Debian project, who fixed it three hours later. The issue was also patched in the gnome-exe-thumbnailer thumbnailer that's responsible with parsing MSI and EXE files inside the GNOME Files app.

Bad Taste provides an initial foothold

To exploit this vulnerability an attacker would first need to trick a victim into downloading an MSI file.

While this requires some clever social engineering, Moskopp told Bleeping Computer in an email that "thumbnailer issues could be exploited via drive-by downloads with any web browser that does not ask users if files should be saved." For example, Chrome is one of the browsers that providers users with an auto-downloading setting. Security reserchers have warned Google against this feature in the past, which has been integrated in various attack chains, such as the one using SCF files to steal Windows credentials.

While Moskopp has not tested Bad Taste via a drive-by download, the researcher is correct to presume that a simple web vector such as this could be used to forcibly deliver MSI files to Linux users running potentially vulnerable distros. Even if users notice the forceful download, most will access their Downloads folder to inspect the suspicious file, which would lead to the execution of the exploit code.

Bad Taste is a type of vulnerability usually deploye to obtain an initial foothold on vulnerable systems. The severity of Bad Taste attacks currently relies with an attacker's ability to attach additional exploit code to the MSI's filename.

This is because the Bad Taste exploit code is executed with the victim's privileges. To cause more damage, the attacker would need to elevate his access to root-level to be truly effective. This usually requires bundling rooting exploits together with Bad Taste to escalate the initial access to a position of power that allows the attacker unlimited access to local resources.

The Bad Taste vulnerability is tracked as CVE-2017-11421.

Update: Information added about patches and potential drive-by distribution vector.

Correction: An initial version of this article mentioned that the malicious code needed to be inside the MSI file's version number field instead of the filename.