A German security researcher (Moskopp) was able to discover a code injection flaw (Bad Taste – CVE-2017-11421) in the gnome-exe thumbnailer that could enable attackers to execute malicious code on targeted Linux devices.
The flaw exists in gnome-exe thumbnailer, which is a third-party thumbnailer used by GNOME Files, formerly known as Nautilus, the default file manager/explorer for Linux distros using the GNOME desktop.
“gnome-exe-thumbnailer before 0.9.5 is prone to a VBScript Injection when generating thumbnails for MSI files, aka the “Bad Taste” issue. There is a local attack if the victim uses the GNOME Files file manager, and navigates to a directory containing a .msi file with VBScript code in its filename.”
The researcher discovered that he could hide malicious VBScript inside names of MSI files and when the victim accesses a folder on his device where this malicious MSI file is stored, GNOME Files would automatically parse the file to extract an icon from its content and display it in the file explorer window. The flaw can be exploited by fooling the victims into downloading the MSI file with clever social engineering attack.
“instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine. The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution.”