KDE Linux Desktops Could Get Hacked Without Even Opening Malicious Files

Posted by & filed under Security Alerts.

A cybersecurity researcher has disclosed an unpatched zero-day vulnerability in the KDE software framework that could allow maliciously crafted .desktop and .directory files to silently run arbitrary code on a user’s computer—without even requiring the victim to actually open it.

KDE Plasma is one of the most popular open-source widget-based desktop environment for Linux users and comes as a default desktop environment on many Linux distributions, such as Manjaro, openSUSE, Kubuntu, and PCLinuxOS.

Security researcher Dominik Penner who discovered the vulnerability, informing that there’s a command injection vulnerability in KDE 4/5 Plasma desktop due to the way KDE handles .desktop and .directory files.

“When a .desktop or .directory file is instantiated, it unsafely evaluates environment variables and shell expansions using KConfigPrivate::expandString() via the KConfigGroup::readEntry() function,” Penner said.

Video Demo 1: KDE 4/5 KDesktopFile Command Injection

Video Demo 2: KDE 4/5 KDesktopFile Command Injection

Source: Dominik Penner Official YouTube Channel.


Exploiting this flaw, which affects KDE Frameworks package 5.60.0 and below, is simple and involves some social engineering as an attacker would need to trick KDE user into downloading an archive containing a malicious .desktop or .directory file.

“Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by dragging and dropping a link of it into their documents or desktop,” the researcher explained.

“Theoretically, if we can control config entries and trigger their reading, we can achieve command injection / RCE.”

As a proof-of-concept, Penner also published exploit code for the vulnerability along with two videos that successfully demonstrate the attack scenarios exploiting the KDE KDesktopFile Command Injection vulnerability.

Apparently, the researcher did not report the vulnerability to the KDE developers before publishing the details and PoC exploits, said KDE Community while acknowledging the vulnerability and assuring users that a fix is on its way.

“Also, if you discover a similar vulnerability, it is best to send an email security@kde.org before making it public. This will give us time to patch it and keep users safe before the bad guys try to exploit it,” KDE Community said.

Meanwhile, the KDE developers recommended users to “avoid downloading .desktop or .directory files and extracting archives from untrusted sources,” for a while until the vulnerability gets patched.

Update — KDE v5.61.0 Patches Command Injection Vulnerability

KDE developers have patched this vulnerability by removing the entire feature of supporting shell commands in the KConfig files, an intentional feature that KDE provides for flexible configuration.

According to the developers, KConfig could be abused by miscreants to make KDE users “install such files and get code executed even without intentional action by the user.”

“A file manager trying to find out the icon for a file or directory could end up executing code, or any application using KConfig could end up executing malicious code during its startup phase for instance,” KDE said in its security advisory released Wednesday.

“After careful consideration, the entire feature of supporting shell commands in KConfig entries has been removed, because we couldn’t find an actual use case for it. If you do have an existing use for the feature, please contact us so that we can evaluate whether it would be possible to provide a secure solution.”

Users are recommended to update to version 5.61.0 of KDE Frameworks 5, while users on kdelibs are advised to apply the patch for kdelibs 4.14 provided in the KDE Project advisory.


The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.