Expert publicly disclosed a zero-day vulnerability in KDE

A security expert has published PoC code exploit for a vulnerability in the KDE software framework that is yet to be fixed.

The security expert Dominik Penner, aka “@zer0pwn”, has disclosed an unpatched KDE vulnerability on Twitter.

“KDE Frameworks is a collection of libraries and software frameworks by KDE readily available to any Qt-based software stacks or applications on multiple operating systems.”

The KDE Frameworks is currently adopted by several Linux distros, including Kubuntu, OpenMandriva, openSUSE, and OpenMandriva.

The vulnerability affects the KDE Frameworks package 5.60.0 and prior, it is caused by the way the KDesktopFile class handles .desktop or .directory files.

“KDE 4/5 is vulnerable to a command injection vulnerability in the KDesktopFile class. When a .desktop or .directory file is instantiated, it unsafely evaluates environment variables and shell expansions using KConfigPrivate::expandString() via the KConfigGroup::readEntry() function.” reads a post published by the expert. “Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop.”

The vulnerability could be exploited by attackers by using specially-crafted .desktop and .directory files that allow running malicious code on the victim’s computer.

The expert explained that browsing a folder with the KDE file viewer that contains where these files are stored, it will cause the execution of the malicious code in the .desktop or .directory files.

“When we combine this /feature/ with the way KDE handles .desktop and .directory files, we can force the file to evaluate some of the entries within the [Desktop Entry] tag.” the expert added. “Some of the entries in this tag include “Icon”, “Name”, etc. The exploit is dependent on the entry that gets read by the KConfigGroup::readEntry() function.”

The flaw can be used by attackers to drop shell commands inside the standard “Icon” entries found in .desktop and .directory files

“So for example, if we were to browse to the malicious file in our file manager (dolphin), the Icon entry would get called in order to display the icon.” Penner explained. “Since we know this, we can use a shell command in place of the Icon entry, which in turn will execute our command whenever the file is viewed. Theoretically, if we can control config entries and trigger their reading, we can achieve command injection / RCE.”

Below a video PoC shared by Penner and published by ZDNet:

Penner did not report the flaw to the KDE team because he wanted to release a zero-day flaw before Defcon.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – KDE, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]