/dev/posts/

Code execution through MIME-type association of Mono interpreter

Published:

Updated:

A dangerous file type association in Debian which could be used to trigger arbitrary code execution.

Vulnerability

On Debian and derivatives, the mono-runtime-common package associates the application/x-ms-dos-executable MIME type with the Mono CLR/.NET interpreter:

[Desktop Entry]
Name=Mono Runtime
Exec=mono
Terminal=false
Type=Application
Icon=mono-runtime-common
MimeType=application/x-ms-dos-executable;
NoDisplay=true

Opening such a file results in execution of the .exe code by mono. This makes it very easy for an attacker to trigger arbitrary code execution through programs such as Chromium, Firefox (through a malicious HTTP resource) and Thunderbird (through a malicious email attachment) when the Mono packages are installed.

This has been reported as Debian bug 972146 (not by me) and has been assigned CVE-2023-26314 and DLA-3343-1.

Distribution Fixed in package
Debian 10 (Buster) 5.18.0.240+dfsg-3+deb10u1
Debian 11 (Bulleseye) N/A (vulnerable)
Debian Testing/Sid 6.8.0.105+dfsg-3.3
Ubuntu 18.04 (Bionic) N/A (vulnerable)
Ubuntu 20.04 (Focal) N/A (vulnerable)
Ubuntu 22.10 (Kinetic) N/A (vulnerable)
Ubuntu 23.04 (Lunar) 6.8.0.105+dfsg-3.3

References

Appendix, C# payload

If you need a simple C# payload, you can use something like this:

using System;
using System.Diagnostics;

namespace App
{
    public class App
    {
        public static void Main(string[] args)
        {
            Process cmd = new Process();
            cmd.StartInfo.FileName = "xterm";
            cmd.StartInfo.Arguments = "-e /bin/bash -l -c nyancat";
            cmd.Start();
        }
    }
}

Which can be used:

# Compile the program:
mcs test.cs

# Test it is actually executing:
mono test.exe