Malicious Windows MSI Files Infect Linux Systems

Cyber security expert Nils Dagsson Moskopp has discovered a sophisticated vulnerability named “Bad Taste” that allows malicious Windows MSI Files to infect Linux systems. These malformed MSI files can be used to execute malware on Linux systems.
This vulnerability exists in the gnome-exe-thumbnailer package, which is used by GNOME files for the GNOME desktop used by Linux distros.

The Malware Package

Malicious VBScript could be hidden inside the names of MSI files – a sophisticated exploit. When a folder containing the malicious MSI file is accessed, the malicious file automatically gets parsed, and an icon from the file is extracted for display. When the GNOME file searches for the icon in the MSI file, the thumbnailer has to read the filename and inevitably the malicious code within gets executed.

The complexity is quite high, and cyber criminals or nation state actors who knew about this vulnerability could have been exploiting this vulnerability. In proof of concept code, Moskopp successfully demonstrated the ability to drop a file, hence confirming the possibility of infection.

Initial Infection

Bad Taste vulnerability helps obtain an initial foothold on targeted systems. Cybercriminals need to employ social engineering to trick targeted victims to download an MSI file. If the victim falls for it, then the infection is successful. Moskopp further adds that the malicious MSI file could also be spread via drive-by downloads. Some browsers such as Google Chrome allow auto-downloading facility, which could be exploited by drive-by downloads to drop malicious MSI files.

The malicious capability of the exploit code attached to the MSI’s filename determines how severe the attack would be. And if the cyber criminal is also able to gain root/admin privileges, then the attack would be even more severe.

Summary

In his blog, Moskopp summarizes the vulnerability as: “Instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine. The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution.

Since only one line of VBScript is available, statements injected via the filename must be separated by colons. A single apostroph character (‘) can be used to start a comment that goes until the end of the line.”

Present Status of the Vulnerability

Moskopp had reported the issue to the Debian project, and the vulnerability has since been fixed. The details of the report: Debian Bug report logs – #868705; Package: gnome-exe-thumbnailer: CVE-2017-11421: Thumbnail generation for MSI files executes arbitrary VBScript.