Nautilus

Control characters alter filename appearance

Bug #197804 reported by Amaroq on 2008-03-02

254

Affects		Status	Importance	Assigned to	Milestone
	Nautilus	Confirmed	Medium	gnome-bugs #549882
	nautilus (Ubuntu)	Triaged	Low	Ubuntu Desktop Bugs

Bug Description

After reading an article about how the LRO and RLO unicode characters could be used to produce deceptive filenames in Vista, me and a friend of mine tried this on Ubuntu to see if it would work there too.

I used the following command via terminal:

touch S[RLO]iva.exe

where [RLO] is the Right to Left Override character pasted into the terminal.
(Note that some terminals do not allow you to paste this character. At least my friend's didn't.)

ls'ing the directory shows something akin to S iva.exe. (The space would be the control character.)
Viewing the directory in nautilus shows the filename as "Sexe.avi".
Quite the tempting filename.

Indeed, everything GUI seems to render the effects of the control character. At least as far as viewing filename and saving files via Pidgin's file transfer and such. (The spoofed filename even remains intact in the field where the filename to save as is defaulted to the filename that the sender is sending.)

Double clicking would attempt to open it as an exe.

Obviously only remotely detrimental if you have Wine or something else that handles exe files. But still, the possibility for exploit using crafted filenames remains.

Something like [RLO]gpj.[LRO]ShellScript could easily be spoofed and would render as ShellScript.jpg.

Ubuntu 7.10.

Tags:

Revision history for this message

Amaroq (coolsteve64) wrote on 2008-03-02:

#1

S[RLO]iva.exe (Just contains text.) Edit (14 bytes, application/x-msdos-program)

Revision history for this message

Michael Nagel (nailor) wrote on 2008-07-27:

#2

redirecting this to nautilus, perhaps someone will have a look at it...

Revision history for this message

Sebastien Bacher (seb128) wrote on 2008-08-20:

#3

thank you for your bug report. could you try if that's still an issue in hardy or intrepid? the filename is displayed as having an incorrect encoding on my intrepid installation

Changed in nautilus:
assignee:	nobody → desktop-bugs
importance:	Undecided → Low
status:	New → Incomplete

Revision history for this message

Samuel Lidén Borell (samuellb) wrote on 2008-08-20:

#4

Yes, at least Hardy still displays deceptive filenames. I tried this on my Intrepid installation which unfortunately was a few days old (it later broke when I updated it, I'll have to investigate that before I can test on a newer version), and it had the same issue.

Revision history for this message

Sebastien Bacher (seb128) wrote on 2008-08-21:

#5

wgetting the bug example doesn't give a broken example, could you describe how to type this special character?

Revision history for this message

Samuel Lidén Borell (samuellb) wrote on 2008-08-21:

#6

I wrote this text in gedit:

test [RLO]gepj.exe

where [RLO] is selected from the right-click menu. Then I created a new empty text file in Nautilus and pasted in the filename from gedit.The filename displayed was "test exe.jpeg"

Revision history for this message

Sebastien Bacher (seb128) wrote on 2008-08-21:

#7

typing "test [RLO]gepj.exe" makes the "test exe.jpeg" text being displayed, that seems to be the intended behaviour and not a bug

Revision history for this message

Amaroq (coolsteve64) wrote on 2008-08-28:

#8

I downloaded the file I attached, S[RLO]iva.exe. Viewing it in both nautilus in a folder and directly on the desktop still renders the deceptive filename.

This is on a fresh , fully updated Hardy install.

Revision history for this message

Sebastien Bacher (seb128) wrote on 2008-08-29:

#9

could anybody having the issue open a bug on bugzilla.gnome.org?

Revision history for this message

A. Walton (awalton) wrote on 2008-08-29:

#10

This might be a tough one to fix. If I understand correctly, RLO and LRO are often used while internationalizing text. Nautilus normally doesn't do anything tricky when displaying names. We just pass them over to Pango to be rendered and display them. We could fix it on a per-locale basis, but we would still get it wrong for a lot of people (e.g. people who use one locale but have files with names from different locales).

Per the most common and worrisome case, when launching a script from Nautilus, we ask whether you want to edit it or launch it beforehand, which mostly defeats this attack. The only remaining vector then would be to use a specially crafted Desktop Entry file, which is a different bug altogether (Nautilus could be a lot more picky about launching these). I think the Wine+EXE case is even more specific and rare than the two mentioned above.

Anyways, feel free to forward it upstream and/or work on it if you like.

Revision history for this message

Amaroq (coolsteve64) wrote on 2008-08-29:

#11

I've opened this as a bug on bugzilla.gnome.org.

I'm not quite sure how to mark it as a security vuln though...

http://bugzilla.gnome.org/show_bug.cgi?id=549882

Sebastien Bacher (seb128) on 2008-08-30

Changed in nautilus:
status:	Incomplete → Triaged

Bug Watch Updater (bug-watch-updater) on 2008-09-03

Changed in nautilus:
status:	Unknown → Confirmed

Bug Watch Updater (bug-watch-updater) on 2010-09-16

Changed in nautilus:
importance:	Unknown → Medium

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

S[RLO]iva.exe (Just contains text.) Edit

Add attachment

Remote bug watches

gnome-bugs #549882
[NEW] Edit

Bug watches keep track of this bug in other bug trackers.