PCManFM-Qt D-Bus Interface Vulnerability Allows Arbitrary File Execution and Sandbox Bypass

A vulnerability exists in all versions of PCManFM-Qt starting from 1.1.0, related to the handling of file URIs through the D-Bus method org.freedesktop.FileManager1.ShowFolders. The application incorrectly assumes that all provided URIs are directories and delegates to external programs based on the file type without user confirmation. This behavior can lead to unintended code execution or allow users to circumvent network namespace restrictions, particularly when using Wine with its default MIME handlers for executable files.

Impact

Exploitation of this vulnerability could result in unauthorized execution of arbitrary files, potentially leading to malicious code execution, and allow users to escape from application sandboxes, accessing restricted files or network resources.

Reproduction

To reproduce this vulnerability, first ensure that PCManFM-Qt is installed and that Wine is set up to handle executable files. Then, within a Flatpak application that does not have access to the host's D-Bus, use the 'org.freedesktop.FileManager1.ShowFolders' method to open a file that Wine can execute, such as a WordPad executable. This will trigger the execution of the file, bypassing the application's sandbox restrictions.