The security expert Dominik Penner, aka “@zer0pwn”, has disclosed an
“KDE Frameworks is a collection of libraries and software frameworks by KDE readily available to any Qt-based software stacks or applications on multiple operating systems.”
The KDE Frameworks is currently adopted by several Linux distros, including Kubuntu, OpenMandriva,
The vulnerability affects the KDE Frameworks package 5.60.0 and prior, it is caused by the way the KDesktopFile class handles .desktop or .directory files.
KDE 4/5 KDesktopFile (.desktop) Command Injection.
— Dominik Penner (@zer0pwn) August 5, 2019
Fits in a tweet.
[Desktop Entry]
Icon[$e]=$(echo${IFS}0>~/Desktop/zero.lol&)https://t.co/Iy3UPrSuhE#redteam #0day #security #bugbounty #bugbountytip #bugbountytips #kde #rce #zerodotlol #zerolol pic.twitter.com/QRtX9Kwd1w
“KDE 4/5 is vulnerable to a command injection vulnerability in the KDesktopFile class. When a
The vulnerability could be exploited by attackers by using specially-crafted
The expert explained that browsing a folder with the KDE file viewer that contains where these files are stored, it will cause the execution of the malicious code in the
“When we combine this /feature/ with the way KDE handles
The flaw can be used by attackers to drop shell commands inside the standard “Icon” entries found in .desktop and .directory files
“So for example, if we were to browse to the malicious file in our file manager (dolphin), the Icon entry would get called in order to display the icon.” Penner explained. “Since we know this, we can use a shell command in place of the Icon entry, which in turn will execute our command whenever the file is viewed. Theoretically, if we can control config entries and trigger their reading, we can achieve command injection / RCE.”
Below a video
Penner did not report the flaw to the KDE team because he wanted to release a zero-day flaw before Defcon.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″]
[adrotate banner=”13″]