47

I am using Nemo file manager and I enabled the Previewable files option that shows video/photo files with their thumbnails:

Nemo file manager/cinnamon/Linux

I don't know exactly how files managers generate thumbnails, but I am wondering if the generation process can execute malware embedded in a media file?

forest
  • 64,616
  • 20
  • 206
  • 257
dif shluger
  • 523
  • 4
  • 9
  • 7
    Not precisely about Linux/Nemo, but the issue remains the same: [most well-known exploit of that sort](https://en.wikipedia.org/wiki/Windows_Metafile_vulnerability). That, and rendering TrueType in kernel mode, which is just an ingenious thing to do... – Damon Dec 13 '17 at 16:44
  • Related: https://superuser.com/questions/709275/what-is-the-danger-of-inserting-and-browsing-an-untrusted-usb-drive – RyanS Dec 13 '17 at 16:54
  • 12
    I'm really excited that someone asked a question like this! I think there's an even more general question hiding here which is "Some code is running on arbitrary inputs and I don't know exactly how it works, could specially designed inputs trigger arbitrary code execution?" To which the answer is most definitely and always a resounding yes. I might even presume to think the origin of most bugs and most exploited vulnerabilities is exactly this type of scenario. – zenware Dec 13 '17 at 18:50
  • @Damon Windows hasn't rendered fonts in kernelmode for quite a while. In Vista (?) they made it optional, and later (8.1 or 10) they removed the kernel code to do that and rendered it entirely in userspace. Scrollbars are still rendered by the kernel though... – forest Dec 14 '17 at 03:31

1 Answers1

75

Yes, it is possible for previews to execute malicious code. Previews are created by checking the file type, and generating a thumbnail. For images, it resizes them. For videos, it decodes them, seeks into them, and creates a snapshot. For HTML files, it renders them with something like WebKit, and saves a snapshot. While previewers do not intentionally execute code, if any of these complex decoders have vulnerabilities, they can potentially be exploited.

This is a big problem with gstreamer, where a vulnerability in the NSF decoder lead to arbitrary code execution. A similar issue was found in its FLIC decoder. The issues stemmed from the fact that the decoder to use was chosen based on the file contents, rather than the file extension. Because of this, a file with the .mp3 extension could actually contain an NSF file. NSF is the NES audio format, and it is implemented as 6502 bytecode (yes, bytecode). NSF files are played by running it in an actual emulator and converting the output into playable audio. Unfortunately, emulators are complex, and that allowed an exploit entirely in 6502 bytecode to compromise an Ubuntu installation.

While gstreamer is a special case, the fundamental issue where a previewer is able to parse a wide variety of formats simply by navigating to a directory is a nasty security issue. Previews/thumbnails should be disabled if you are concerned about this threat.

A NSF file, named time_bomb.mp3, exploiting previews on an Ubuntu system to open xcalc:

xcalc

forest
  • 64,616
  • 20
  • 206
  • 257
  • 17
    "The issues stemmed from the fact that the decoder to use was chosen based on the file contents, rather than the file extension." That's how most things work on Linux-based systems, though, and is unrelated to the actual issue you brought up. It would still exist if there were a vulnerability in the MP3 decoder used that could be exploited or if the NSF file had the "correct" extension. – JAB Dec 13 '17 at 19:05
  • 4
    Sure. I was just explaining a little that one vulnerability as an example. In that case the NSF decoder was far less secure than the MP3 decoder due to its obscurity, – forest Dec 14 '17 at 03:24