Popular Desktop App Flaws

Popular Desktop Apps Including Telegram, VLC, Libre-/OpenOffice, Wireshark, and others are affected with 1-click code execution vulnerabilities. These desktop applications are often vulnerable to code execution with user interaction.

Let’s further see about code execution vulnerabilities in numerous desktop applications. Everything is with the same root cause, i.e: insufficient validation of user input that is later treated as a URL and opened with the help of the operating system.

Root cause: user-supplied URLs opened by the OS

A common way to open files and links from a native desktop application is by passing a URI to the operating system to handle.

This is done via the following functions/programs:

  • Windows: ShellExecute*
  • Linux: xdg-open (detects desktop environment and calls gio open, gvfs-open, gnome-open, mate-open, exo-open or enlightment_open)
  • Mac: NSWorkspace#openURL()

When a user-supplied URL is opened in this way without additional checks, this can lead to code execution:

  • By exploiting OS behavior for specific URI schemes and file extensions
  • By exploiting vulnerabilities in 3rd party application URL handlers Vulnerabilities

Various App Flaws:

 Nextcloud

The Nextcloud Desktop client uses QDesktopServices::openUrl, however, when the user connects to a Nextcloud server, the server’s login page is loaded in a WebView. QT’s default behavior is that a click on a link in a WebView does not directly call the OS’ handler. Without any filtering on the URI scheme, this gives many possibilities and allows for smooth exploitation without additional confirmation.

The issue has been fixed by the Nextcloud team by replacing QDesktopServices::openUrl with their utility function Utility::openBrowser, which implements an additional AllowList-check (http/https/oauthtest) before passing it to QDesktopServices::openUrl.

CVE: CVE-2021-22879

Patch: Validate sensitive URLs to only allow http(s) schemes

Telegram

The Telegram Desktop Application for Windows/Linux/Mac OS is based on Qt and passes links directly to QDesktopServices::openUrl.

The Telegram API defines specific MessageEntitys that have an offset, a length and optional additional parameters. The MessageEntities related to URLs are messageEntityUrl and messageEntityTextUrl.

With messageEntityTextUrl, any text can point to any URL. The backend performs strict checks on the URL and in many cases returns a “400 – Unsupported url protocol”. The messageEntityUrl is a more relaxed filter list that allows the sftp:// URI scheme. On Xubuntu, this can be exploited by linking to an executable .desktop file via sftp:// (including the username and with an empty password set on the server for minimal interaction)

In a default Windows installation, there are no applications installed for handling sftp:// links. However, the testing machine which had WinSCP, installed default registers by default as sftp:// URI handler. 

sftp:// to a Github issue from 2015, where a user observed and reported a seemingly surprising behavior, and the URI scheme was added without an actual use case.

The issue was reported to Telegram on January 11th, and after several follow-ups, closed via a server-side change on (or slightly before) February 10th.

VLC

The vulnerable feature in VLC is the “Show Containing Folder” action in the context menu of a playlist item.

When clicking the item, the path of the containing directory is fetched and opened by QDesktopServices::openUrl. By adding an additional / or /doesnotexist.mp4 to a playlist entry’s URL, “Show Containing Folder…” can be diverted to open files with the associated default application.

The issue was mitigated by adding a check to ensure that the opened URI is a directory, preventing the RCE.
vlc_uri2path was not changed. So although the function may appear to have the goal of disallowing remote files, UNC files can still be specified (leading to an NTLM hash leak or potentially other unexpected behavior when vlc_uri2path is used).

Open-/LibreOffice

OpenOffice and LibreOffice allow for Hyperlinks to be embedded in various types of documents, including macro-disabled file types.

In the Windows version of LibreOffice, a file extension blacklist aimed at protecting against this type of attack . However, a way was found to bypass this blacklist, allowing for 2-click exploitation on Windows, showcasing the unreliability of such an approach.

As a fix, suggestion in displaying a comprehensive warning message to the user before opening any non http(s) hyperlinks was shared.

OpenOffice response on this is as below:

Pending CVE: CVE-2021-30245

Pending Patch: The OpenOffice team is currently working on a fix that addresses the issue on all platforms to be included in the upcoming 4.1.10 release.

LibreOffice response on this is as below:

LibreOffice opted to only patch the file extension blacklist bypass for Windows. CVE-2021-25631 was assigned for the blacklist bypass.

Mumble

The Mumble voice chatting software features a centrally managed public server list which makes it convenient for users to find and connect to servers that have opted in to be listed.

Exploiting Mumble on Windows:

A one-click exploit for windows should have been possible by using a webdav URL which points to a malicious file in the root folder of the share.

Exploiting Mumble on Xubuntu:

One-click RCE should again also be possible here using an nfs share.

CVE: CVE-2021-27229
Patch: Restricting allowed schemes to http and https

Bitcoin/Dogecoin Wallets

The Bitcoin-Qt client allows users to specify the blockchain explorer website they want to use in the GUI settings window by defining a list of URIs (split by ‘|’).

Exploiting Bitcoin wallet on Windows:

Warning message in RPC Console

Adding Blockchain Explorer URLs to the average user should seem less dangerous/more of a normal interaction than pasting code snippets into the RPC console.

The issue was disclosed to Bitcoin Core, Bitcoin Gold, Bitcoin Cash, Bitcoin ABC and Dogecoin on January 18th.

Dogecoin: Fixed in v1.14.3
Bitcoin ABC: Fixed in version 0.22.15
Bitcoin Cash: Fixed in version 23.0.0

Wireshark

The QT based Wireshark packet analyzer application makes some fields which contain URLs double-clickable. These URLs were simply passed to QDesktopServices::openUrl, allowing for exploitation via malicious capture files or the live capture of maliciously crafted traffic.

Exploiting Wireshark on WindowsExploiting Wireshark on Xubuntu

CVE: CVE-2021-22191
Patch: Changing double-click behavior to copy URLs to the clipboard rather than opening them

Preventions:

For OS/Desktop environments:

  • Remote shares should not be auto-mounted
  • Appropriate warning messages should be shown

For Frameworks:

  • Parameters should be secure by default

For Applications:

Applications that let users open external URLs should validate the URLs with a URI scheme allowlist.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.