A cybersecurity researcher has disclosed an unpatched zero-day vulnerability in the KDE software framework that could allow maliciously crafted .desktop and .directory files to silently run arbitrary code on a user's computer—without even requiring the victim to actually open it.
KDE Plasma is one of the most popular open-source widget-based desktop environment for Linux users and comes as a default desktop environment on many Linux distributions, such as Manjaro, openSUSE, Kubuntu, and PCLinuxOS.
Security researcher Dominik Penner who discovered the vulnerability contacted The Hacker News, informing that there's a command injection vulnerability in KDE 4/5 Plasma desktop due to the way KDE handles .desktop and .directory files.
"When a .desktop or .directory file is instantiated, it unsafely evaluates environment variables and shell expansions using KConfigPrivate::expandString() via the KConfigGroup::readEntry() function," Penner said.
Exploiting this flaw, which affects KDE Frameworks package 5.60.0 and below, is simple and involves some social engineering as an attacker would need to trick KDE user into downloading an archive containing a malicious .desktop or .directory file.
"Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by dragging and dropping a link of it into their documents or desktop," the researcher explained.
"Theoretically, if we can control config entries and trigger their reading, we can achieve command injection / RCE."
As a proof-of-concept, Penner also published exploit code for the vulnerability along with two videos that successfully demonstrate the attack scenarios exploiting the KDE KDesktopFile Command Injection vulnerability.
Apparently, the researcher did not report the vulnerability to the KDE developers before publishing the details and PoC exploits, said KDE Community while acknowledging the vulnerability and assuring users that a fix is on its way.
"Also, if you discover a similar vulnerability, it is best to send an email firstname.lastname@example.org before making it public. This will give us time to patch it and keep users safe before the bad guys try to exploit it," KDE Community said.
Meanwhile, the KDE developers recommended users to "avoid downloading .desktop or .directory files and extracting archives from untrusted sources," for a while until the vulnerability gets patched.
Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.