Code execution through MIME-type association of Mono interpreter
Published:
Updated:
A dangerous file type association in Debian which could be used to trigger arbitrary code execution.
Vulnerability
On Debian and derivatives, the mono-runtime-common package associates the application/x-ms-dos-executable
MIME type with the Mono CLR/.NET interpreter:
[Desktop Entry]
Name=Mono Runtime
Exec=mono
Terminal=false
Type=Application
Icon=mono-runtime-common
MimeType=application/x-ms-dos-executable;
NoDisplay=true
Opening such a file results in execution of the .exe
code by mono
. This makes it very easy for an attacker to trigger arbitrary code execution through programs such as Chromium, Firefox (through a malicious HTTP resource) and Thunderbird (through a malicious email attachment) when the Mono packages are installed.
This has been reported as Debian bug 972146 (not by me) and has been assigned CVE-2023-26314 and DLA-3343-1.
Distribution | Fixed in package |
---|---|
Debian 10 (Buster) | 5.18.0.240+dfsg-3+deb10u1 |
Debian 11 (Bulleseye) | N/A (vulnerable) |
Debian Testing/Sid | 6.8.0.105+dfsg-3.3 |
Ubuntu 18.04 (Bionic) | N/A (vulnerable) |
Ubuntu 20.04 (Focal) | N/A (vulnerable) |
Ubuntu 22.10 (Kinetic) | N/A (vulnerable) |
Ubuntu 23.04 (Lunar) | 6.8.0.105+dfsg-3.3 |
References
- Code execution through MIME-type association of Mono interpreter and security expectations of MIME type associations
- Debian Bug #972146 - /usr/share/applications/mono-runtime-common.desktop: should not handle MIME type by executing arbitrary code (CVE-2023-26314)
- Debian Tracker about CVE-2023-26314
- Ubuntu security about CVE-2023-26314
Appendix, C# payload
If you need a simple C# payload, you can use something like this:
using System;
using System.Diagnostics;
namespace App
{
public class App
{
public static void Main(string[] args)
{
Process cmd = new Process();
cmd.StartInfo.FileName = "xterm";
cmd.StartInfo.Arguments = "-e /bin/bash -l -c nyancat";
cmd.Start();
}
}
}
Which can be used:
# Compile the program:
mcs test.cs
# Test it is actually executing:
mono test.exe