tried to connect to the internet #334
Comments
|
Manged to make it try to connect again, this time I took not of the executable: /usr/bin/eom /tmp/ark-xxxx-random-chars created by the ark program that unzipped the picture. |
|
Any chance this is the work of a malicious file?
…On 6/6/2022 at 6:06 PM, "hexarch" ***@***.***> wrote:
Manged to make it try to connect again, this time I took not of
the executable: /usr/bin/eom /tmp/ark-xxxx-random-chars created by
the ark program that unzipped the picture.
this time the IP is 81.17.x.x
anyway, the program should not make any connection.
--
Reply to this email directly or view it on GitHub:
#334 (comment)-
1147732550
You are receiving this because you are subscribed to this thread.
Message ID: ***@***.***>
|
|
Also-any chance your image was a link to an image or some kind of file containing such a link?
|
|
These were a few pictures downloaded from sites, compressed. I just double click to open and the image appears, because it was created a temp file and eom shows the pictures. |
|
Random photos downloaded from sites could definately contain malicious content,usually targetting vulnerablities in Windows or Android. Note.that since Android is based on lnux a common underlying vlunerablity is possible.
Cannot test wirhout rhe images-and testng thrm on a live system is considered dangerous. I do not have any VM support at all set up for such cases.
When I am.back at my desktop I can search the source code of Pluma for network references but that's it.
One more thought: xorg itself supports forwarding all the display content to a remote machine and takng all input from it. This is notmally used (rarly used now):intentionally but is no doubt exploitable
|
|
Ok thanks. I don't have them but I will try to download again and open. I do have VM's where I can test that out safe. |
|
An xorg exploit would play no role in wayland, as with eom supporting wayland since an "enable wayland support" commit it should not have to run xwayland. Check on Xorg as well if possible to see if a wayland specific bug exists. Also look for DIFFERENT urls being sought by different files, which would suggest malicious files |
|
Also, I just did a test with a known good online photo I had posted myself: opening the URL of an online/remote photo in eom works, so code to connect to the Internet, fetch a photo, and display has to be included. This is not a terminal feature: replacing Note that long ago, browsers depended on plugins for a lot of media handling, though I have no idea if that ever extended all the way down to images. Also note that the first browsers were text only and some like lynx are still in use. For that use case, for eom to be able to handle a remote file is useful. Now we need to find out why a downloaded file is trying to access a remote link. Make sure you have the actual files and not just links to them. If the image opens with the network disabled,you definately have a local image. I would presume any embedded call back to the network from such an image to be malicious until proven otherwise |
Expected behaviour
don't connect to the internet withou me asking for it and a image viewer should never try to reach the internet
Actual behaviour
trying to access the internet, this time was trying to access an IP 191.101.31.104 in Chile
found out was EOM because my internet firewall log says /usr/bin/eom
Steps to reproduce the behaviour
hard, it only tried once, trying to open more pictures to see if it goes again
MATE general version
Eye of MATE Image Viewer 1.26.0
Package version
latest in ArchLinux
Linux Distribution
ArchLinux
Link to bugreport of your Distribution (requirement)
The text was updated successfully, but these errors were encountered: