CVE-2017-11421

Vulnerability

In gnome-exe-thumbnailer versions before 0.9.5, the script used to generate thumbnails for MSI files invoked wine cscript.exe to execute a VBScript snippet that extracted the ProductVersion property. The VBScript code was constructed by concatenating user-controlled strings from the filename, leading to a VBScript injection vulnerability (the "Bad Taste" issue). The vulnerable code path was triggered automatically when the GNOME Files file manager (nautilus) attempted to generate a thumbnail for any .msi file [1].

Exploitation

An attacker with the ability to place a specially crafted .msi file on the victim's filesystem (e.g., via a downloaded file, USB drive, or shared directory) could embed arbitrary VBScript code within the filename. When the victim navigates to the directory containing that file using GNOME Files, the thumbnailer automatically executes the VBScript, injecting the attacker's code into the cscript process [1]. No special privileges or user interaction beyond browsing the directory are required.

Impact

Successful exploitation allows an attacker to execute arbitrary VBScript code with the privileges of the user running GNOME Files. This can lead to system information disclosure, data theft, persistence, or further compromise of the user's session. The vulnerability is classified as High severity (CVSS 7.8) due to the low complexity and potential for full compromise.

Mitigation

The vulnerability is fixed in gnome-exe-thumbnailer version 0.9.5, released on 2017-07-18. The fix replaces the VBScript-based version extraction with a call to msiinfo from msitools, which does not execute any script [1]. Users should update to version 0.9.5 or later. No workarounds are available; the only mitigation is to avoid browsing directories with untrusted .msi files until the update is applied.