On July 28th 2019, Dominik Penner (@zer0pwn) released a vulnerability on GitHub which exploits the Desktop Environment Plasma by KDE.
Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop.
The vulnerability can be used to achieve Remote Command Execution by just opening the directory. The configuration syntax of KDE allows dynamic configuration entries without any sanitation or what-so-ever. The function KConfigGroup::readEntry() is made to read the entries in [Desktop Entry] tag. The function then calls KConfigPrivate::expandString() which is a core component to this exploit.
KDE Plasma reads the .desktop & .directory file which contain description about the folder, which gets read by the GUI every time the user goes into a directory with a File Browser. Simply by putting the malicious code as the value of ‘Icon’ in the [Desktop Entry] will result into execution of it.
Dominick on his GitHub has also provided the affected code along with the Proof of Concept, which is responsible for the command injection. Namely the files kdesktopfile.cpp, kconfiggroup.cpp and kconfig.cpp are affected. The versions that are affected by it are 5.60.0 and below. KDE as of yet hasn’t released any sort of update which fixes this issue.
Written by: Karan