Created attachment 125340 [details] PoC document to launch usr/lib/bless/bless.exe The PDF specification defines the "Launch Action", which allows documents to launch arbitrary applications. The file to be launched can either be specified by a local path, a URL or a file embedded within the PDF document itself. The standard does not provide any security considerations regarding this obviously dangerous feature. Therefore, it is fair to say that PDF offers "command execution by design" – if the standard is straightforwardly implemented. Okular uses xdg-open to handle the file to be launched, thereby delegating the security decision to a third-party application. On my Debian GNU/Linux test system, this results in code execution with minimal user interaction: by referencing an Windows .exe from a Link annotation, the executed with `/usr/bin/mono`, an emulator for .NET executables, if the user clicked somewhere into the document. **Steps to reproduce:** 1. `# apt-get install bless` 1. `$ okular launch-linux-mono.pdf` I'm not sure if this is a bug/misconfiguration in xdg-open. However, it is debatable if security-focused PDF viewers should support the Launch action at all. It is a dangerous feature mostly used to spread malware (primarily in the Windows world). We recently conducted a large-scale study of 294.586 PDF documents downloaded from the Internet, in order to research if there are any legitimate use cases at all. Only 532 files (0.18%) contained a Launch action. It can be concluded that the Launch action is rarely used in the wild and its support should is questionable in security-oriented PDF implementations.
> in order to research if there are any legitimate use cases at all There are
> apt-get install bless bash: apt-get: no s'ha trobat l'ordre
I don't know what you're using but here it tells me "no sorry" https://i.imgur.com/covvjjX.png
I'm using Kali. Okular (xdg-open) does not allow you to *launch* Linux executables. It does however allow you to *open* files with a default application (e.g., a text like /etc/passwd file is opened with the default text editor; fair enough). Now, if we install mono (a dependency of bless), windows executable files are xdg-opened (via Okular) with mono and thereby can cause harm on Linux.
You keep mentioning xdg-open but okular does not use xdg-open, can you try to trace who is invoking that for you? Oh wow, wait you're on Okular 1.3.3? that's more than 2 years old, maybe you can try to a distribution with a modern version of Okular and see if you can still reproduce the problem?
Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone!
This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone!