A cybersecurity researcher has disclosed an unpatched zero-day vulnerability in the KDE software framework that could allow maliciously crafted .desktop and .directory files to silently run arbitrary code on a user’s computer—without even requiring the victim to actually open it.
KDE Plasma is one of the most popular open-source widget-based desktop environment for Linux users and comes as a default desktop environment on many Linux distributions, such as Manjaro, openSUSE, Kubuntu, and PCLinuxOS.
Security researcher Dominik Penner who discovered the vulnerability, informing that there’s a command injection vulnerability in KDE 4/5 Plasma desktop due to the way KDE handles .desktop and .directory files.
“When a .desktop or .directory file is instantiated, it unsafely evaluates environment variables and shell expansions using KConfigPrivate::expandString() via the KConfigGroup::readEntry() function,” Penner said.
Video Demo 1: KDE 4/5 KDesktopFile Command Injection
Video Demo 2: KDE 4/5 KDesktopFile Command Injection
Source: Dominik Penner Official YouTube Channel.
Exploiting this flaw, which affects KDE Frameworks package 5.60.0 and below, is simple and involves some social engineering as an attacker would need to trick KDE user into downloading an archive containing a malicious .desktop or .directory file.
“Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by dragging and dropping a link of it into their documents or desktop,” the researcher explained.
“Theoretically, if we can control config entries and trigger their reading, we can achieve command injection / RCE.”
As a proof-of-concept, Penner also published exploit code for the vulnerability along with two videos that successfully demonstrate the attack scenarios exploiting the KDE KDesktopFile Command Injection vulnerability.
Apparently, the researcher did not report the vulnerability to the KDE developers before publishing the details and PoC exploits, said KDE Community while acknowledging the vulnerability and assuring users that a fix is on its way.
“Also, if you discover a similar vulnerability, it is best to send an email firstname.lastname@example.org before making it public. This will give us time to patch it and keep users safe before the bad guys try to exploit it,” KDE Community said.
Meanwhile, the KDE developers recommended users to “avoid downloading .desktop or .directory files and extracting archives from untrusted sources,” for a while until the vulnerability gets patched.
Update — KDE v5.61.0 Patches Command Injection Vulnerability
KDE developers have patched this vulnerability by removing the entire feature of supporting shell commands in the KConfig files, an intentional feature that KDE provides for flexible configuration.
According to the developers, KConfig could be abused by miscreants to make KDE users “install such files and get code executed even without intentional action by the user.”
“A file manager trying to find out the icon for a file or directory could end up executing code, or any application using KConfig could end up executing malicious code during its startup phase for instance,” KDE said in its security advisory released Wednesday.
“After careful consideration, the entire feature of supporting shell commands in KConfig entries has been removed, because we couldn’t find an actual use case for it. If you do have an existing use for the feature, please contact us so that we can evaluate whether it would be possible to provide a secure solution.”
Users are recommended to update to version 5.61.0 of KDE Frameworks 5, while users on kdelibs are advised to apply the patch for kdelibs 4.14 provided in the KDE Project advisory.