Linux Devices Vulnerable To Code Injection. The German Security Detective (Moskopp) can find an error code injection (bad taste – CVE-2017-11421) in the X-Thumbnail Thumbnailer which may allow an attacker to execute malicious code on Linux-oriented machines.
There is a defect in the GNOME X thumbnailer, and the third thumbnailer is used by GNOME files, formerly known as Nautilus, the file browser manager / virtualization for Linux distributions using the GNOME desktop.
Linux Devices Vulnerable To Code Injection, “Gnome-X-thumbnailer before 0.9.5 is prone to VBScript injection to generate thumbnails of MSI files, also known as” bad taste.
“There is a local attack if the victim uses the GNOME file manager and browse to the directory containing the .msi file with the VBScript code Its file name.
Linux Devices Vulnerable To Code Injection. The researcher found that VBScript can hide malware inside the MSI file names and when the victim reaches a folder on your machine where this malicious MSI file is stored, the GNOME file automatically analyzes that file to extract the code from its content and display it in the file browser window.
The bugs can be exploited by fooling victims into uploading an MSI file with a smart social engineering attack.
“Instead of parsing an MSI file for your version number, this code creates a script that contains the filename that you view and runs thumbnails using the Wine.The text was built using a template, which makes it possible to include VBScript in the filename and enable execution.”