perm_phone_msgCYBER EMERGENCY? HELPLINE (UK) 0871 526 0239

Command Injection in KDE Plasma 4/5

Cyber security Karan todayAugust 6, 2019 89

Background
share close
KDE Plasma 5.15 - kde.org
KDE Plasma 5.15 - kde.org

On July 28th 2019, Dominik Penner (@zer0pwn) released a vulnerability on GitHub which exploits the Desktop Environment Plasma by KDE.

Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop.

~ @zer0pwn

The vulnerability can be used to achieve Remote Command Execution by just opening the directory. The configuration syntax of KDE allows dynamic configuration entries without any sanitation or what-so-ever. The function KConfigGroup::readEntry() is made to read the entries in [Desktop Entry] tag. The function then calls KConfigPrivate::expandString() which is a core component to this exploit.

KDE Plasma reads the .desktop & .directory file which contain description about the folder, which gets read by the GUI every time the user goes into a directory with a File Browser. Simply by putting the malicious code as the value of ‘Icon’ in the [Desktop Entry] will result into execution of it.

Dominick on his GitHub has also provided the affected code along with the Proof of Concept, which is responsible for the command injection. Namely the files kdesktopfile.cpp, kconfiggroup.cpp and kconfig.cpp are affected. The versions that are affected by it are 5.60.0 and below. KDE as of yet hasn’t released any sort of update which fixes this issue.

The above video by Dominick shows the Proof of Concept in action.

 

 

Sources:-

https://gist.github.com/zeropwn/630832df151029cb8f22d5b6b9efaefb#file-kde-kdesktopfile-command-injection-txt

Written by: Karan

Tagged as: , , .

Rate it
About the author
Avatar

Karan

OSINT Freak, Pursuing OSCP, Currently studying Computer Science Engineering.


Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *