If you are running a KDE desktop environment on your Linux operating system, you need to be extra careful and avoid downloading any “.desktop” or “.directory” file for a while.
A cybersecurity researcher has disclosed an unpatched zero-day vulnerability in the KDE software framework that could allow maliciously crafted .desktop and .directory files to silently run arbitrary code on a user’s computer—without even requiring the victim to actually open it.
KDE Plasma is one of the most popular open-source widget-based desktop environment for Linux users and comes as a default desktop environment on many Linux distributions, such as Manjaro, openSUSE, Kubuntu, and PCLinuxOS.
Security researcher Dominik Penner who discovered the vulnerability contacted The Hacker News, informing that there’s a command injection vulnerability in KDE 4/5 Plasma desktop due to the way KDE handles .desktop and .directory files.
“When a .desktop or .directory file is instantiated, it unsafely evaluates environment variables and shell expansions using KConfigPrivate::expandString() via the KConfigGroup::readEntry() function,” Penner said.
Exploiting this flaw, which affects KDE Frameworks package 5.60.0 and below, is simple and involves some social engineering as an attacker would need to trick KDE user into downloading an archive containing a malicious .desktop or .directory file.
“Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by dragging and dropping a link of it into their documents or desktop,” the researcher explained.
“Theoretically, if we can control config entries and trigger their reading, we can achieve command injection / RCE.”
As a proof-of-concept, Penner also published exploit code for the vulnerability along with two videos that successfully demonstrate the attack scenarios exploiting the KDE KDesktopFile Command Injection vulnerability.
Apparently, the researcher did not report the vulnerability to the KDE developers before publishing the details and PoC exploits, said KDE Community while acknowledging the vulnerability and assuring users that a fix is on its way.
“Also, if you discover a similar vulnerability, it is best to send an email [email protected] before making it public. This will give us time to patch it and keep users safe before the bad guys try to exploit it,” KDE Community said.
Meanwhile, the KDE developers recommended users to “avoid downloading .desktop or .directory files and extracting archives from untrusted sources,” for a while until the vulnerability gets patched.
SIMILAR BUGS HAVE IMPACTED LINUX DISTROS IN THE PAST
Over the past few years, there has been a whole class of security flaws impacting Linux desktop environments caused by libraries which handle the operations associated with displaying files or thumbnails inside the OS desktop GUI.
Bugs in parsing file metadata or rendering image thumbnails have often been found. Most of the time, these bugs occur without any user interaction and are triggered just by accessing the folder where the malicious file resides — similar to the bug that Penner discovered.
For example, in November 2016, security researcher Chris Evans found that Fedora’s Tracker and Gstreamer frameworks, part of Fedora’s desktop environemnt, were allowing code execution when users accessed a folder containing malicious video files.
A month later, Evans found another similar bug that impacted both Fedora and Ubuntu, this time, exploitable via audio files.
In 2017, German IT expert Nils Dagsson Moskopp found the “Bad Taste” vulnerability, which triggered code execution on Linux desktops utilizing the GNOME Files file viewer, when users viewed a Windows MSI file — out of all things.
Penner’s vulnerability is not unique, and certainly not unique to Linux systems. Problems with sanitizing file content and file metadata to remove possible hiding spots for malicious still plague Windows as well, and they’ll likely plague operating systems for years to come.