Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've recently had some random guy email me one of those typical and obvious "this email is urgent, please open the attached pdf for more information so that we can infect your PC and install a virus on it" type of emails. I found it suspicious since I haven't given that email out to anyone. Attached was a PDF file that I saved to my home folder and uploaded to VirusTotal for checking. While there were no threats detected, I still believe it's a possible virus because someone apparently uploaded the exact same file before me.
Thing is I wanted to delete the file afterwards, so I opened Thunar, browsed to the directory where I saved the file earlier and tried to delete it only to find out that Thunar was being stupid and peeked inside the file to generate a thumbnail.
Is it possible to get local code execution like this? I immediately disabled thumbnails, rebooted the PC and checked my /boot partition and boot sector for changes. I also looked for modified and new files in folders like /var/tmp, ~/.config/autostart, but couldn't find anything.
I presume the permissions on the file are something like 644. That would permit read and write for owner, read only for group and everyone else.
That does not permit code execution.
It would be incredibly insecure for a file browser to execute code when attempting to retrieve info about a file. I doubt there is a issue, but perhaps someone else sees a problem. Is it a accurate thumbnail or a generic pdf thumbnail?
This is a little bit why linux is more secure then windows... opening a file.pdf.sh does nothing if the permissions are (by default) set to 644. You can override this of course.
I'm sorry, I'm not worried about executing the file itself. I'm aware that the file was non-executable, and it was a PDF on its own since I opened it with hexdump. What I had in mind was that if there was a 0day exploit present within the file, could generating a thumbnail have triggered it?
What I had in mind was that if there was a 0day exploit present within the file, could generating a thumbnail have triggered it?
In theory, yes. But I would not worry too much about it if this e-mail was not specifically directed at you: The big malware campaigns do not target linux desktop users because of too low market share and too fragmented software environments. And the typical pdf exploits use adobe reader, while the code your file manager executes to generate the thumbnail comes probably from evince or poppler.
I'm sorry, I'm not worried about executing the file itself. I'm aware that the file was non-executable, and it was a PDF on its own since I opened it with hexdump. What I had in mind was that if there was a 0day exploit present within the file, could generating a thumbnail have triggered it?
Since a 0 day exploit rests on the fact that the exploit is unknown to the designer of the intended software, then yes, running any code anywhere on it is a risk. It could potentially have a 0 day for the file manager thunar, 0 day for gaining root privileges, etc.
After establishing that, then you touch on probability on what software.
Considering the incredibly small world of desktop linux computers ((most)linux servers don't use X right?) and that dangerous code is limited to that user account, the probability of a 0 day designed for a linux computer with a X server (gui) cannot be very high.
It's possible thunar uses another command to identify the file, like file which is used to determine file type. My man page explains how it determines file type, might be worth a read (man file)
Yeah, when I received the suspicious email I just replied and pretended I couldn't open the PDF file. I asked the lad to send me another file format in the hopes that I would be able to capture another potential 0day exploit and sent it to VirusTotal for analysis. While the lad did reply with a docx file this time, I first scanned it with VT and then opened it with a ZIP archiver to examine the XML contents. As it turned out the email was just another of those 419 scams.
I had seriously hoped that I was being targeted by som hacking company so I could fish for some new exploits. Damnit!!!!!!
Also, I never told anyone in particular I'm using linux.
I've recently had some random guy email me
...
Yeah, when I received the suspicious email I just replied and pretended I couldn't open the PDF file.
Hopefully that wasn't with your real email. You just gave them something much more valuable - information that they have a live email address that responds.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.