Package: mono-runtime-common Version: 6.8.0.105+dfsg-3 Severity: important File: /usr/share/applications/mono-runtime-common.desktop Tags: security X-Debbugs-Cc: Debian Security Team <[email protected]>
/usr/share/applications/mono-runtime-common.desktop and /usr/share/applications/mono-runtime-terminal.desktop are registered as freedesktop.org MIME handlers for the application/x-ms-dos-executable MIME type. They run the executable under mono(1) without any further prompting. This means that doing normal "open a document" actions will result in arbitrary code execution with normal user privileges: - follow a web link to a downloadable file and accept the browser's offer to open it (mitigation: the user is prompted, and major browsers might special-case application/x-ms-dos-executable as particularly dangerous) - follow a file:/// link in a non-web format that allows links, such as PDF - open an email attachment - xdg-desktop-portal forwarding an "open file" action from a Flatpak app (mitigation: this one involves user action to confirm which app should be used to open the file) I don't think this is *necessarily* a security vulnerability, as such (everything is doing what it is designed to do), but in 2020 it seems deeply inadvisable. In particular, web browsers, email clients, and sandboxed app frameworks like Flatpak and Snap, which are not generally aware of the specifics of particular MIME types, have little choice but to assume that opening a file is not normally arbitrary code execution. The analogous MIME handling in Wine was removed in 2013 (<https://bugs.debian.org/327262>). I would expect that Mono would either not handle application/x-ms-dos-executable, or handle it with an application that shows a "this is probably dangerous, are you sure?" prompt first (like Wine used to do). I would personally prefer it to not handle application/x-ms-dos-executable at all, due to <https://en.wikipedia.org/wiki/Dancing_pigs>. This was brought to my attention by a commit in GNOME's evince PDF viewer which removes its "launch action" feature (part of the PDF spec, but in practice mostly used by Windows malware) as a form of security hardening. See <https://gitlab.gnome.org/GNOME/evince/-/issues/1333> (I'm preparing an upload with the change referenced there), which uses mono in its proof-of-concept. Mitigation: GNOME users will find that org.gnome.FileRoller.desktop is a preferred handler for application/x-ms-dos-executable. It isn't clear to me how useful this really is (opening an executable as a zip-like archive with "filenames" like .text and .bss seems more like a proof-of-concept than something people would genuinely use) but at least it's harmless. MATE's equivalent (fork?) of file-roller, engrampa, does the same. Another mitigation: I was surprised to find that gnome-games-app also associates itself with application/x-ms-dos-executable, alongside lots of ROM formats (presumably so it can offer to run them in a sandbox environment with Dosbox). This is hopefully OK, because gnome-games-app hopefully has a lot more prompting and sandboxing than a general-purpose program interpreter. smcv
