The KDE Frameworks software library is at the base of the KDE desktop environment v4 and v5 (Plasma), currently included with several Linux distributions such as Kubuntu, openSUSE, OpenMandriva, Chakra, KaOS, and others.
How the vulnerability works
The vulnerability occurs because of the way the KDesktopFile class (part of KDE Frameworks) handles .desktop or .directory files.
Penner discovered that he could create malicious .desktop and .directory files that could be used to run malicious code on a user's computer.
When a user opens the KDE file viewer to access the directory where these files are stored, the malicious code contained within the .desktop or .directory files executes without user interaction -- such as running the file.
"Browsing to a folder via Dolphin (the KDE GUI file manager) which contains a malicious .desktop file is enough to get code execution," Alex Murray, Tech Lead for the Ubuntu Security team, told ZDNet, after we asked him to verify the vulnerability yesterday.
In a technical write-up of the bug that Penner published on GitHub, the researcher says the vulnerability can be used to place shell commands inside the standard "Icon" entries found in .desktop and .directory files
The researcher said KDE "will execute our command whenever the file is viewed." A demo of an attack is available below, recorded by Penner.
Some social engineering needed, but it's an easy attack
The exploitation scenario involves some social engineering to trick a user into downloading these malicious files, but the advantage to this technique is that the user does not have to interact or open these files.
Some security experts have played down the bug's importance because it requires tricking users into downloading .desktop and .directory files -- both of which are very uncommon downloads and will arrouse suspicions with most tech-savvy Linux users.
However, Murray told us the malicious files can also be hidden inside ZIP or TAR archives. A user might think he's downloading an archive of legitimate files, but be unaware that it may also hide malicious .desktop or .directory files.
Once the user unzips the archive and views its content, the malicious code executes without the target's knowledge or the target having to take any other actions.
Furthermore, exploit kits can also be employed to download the file on users' systems without interaction.
Researcher did not notify KDE team
In an interview with ZDNet yesterday, Penner explained the motives of publishing the details around this bug without contacting the KDE team beforehand.
"I mainly just wanted to drop a 0day before Defcon [a security conference]," Penner told us. "I do plan on reporting it, but the issue is more of a design flaw than an actual vulnerability, despite what it can do."
"To be honest, I was debating on going into the code and making the change myself considering KDE is open source," Penner said.
ZDNet notified two members of the KDE team about this vulnerability yesterday. A KDE spokesperson provided the following reply:
"We would appreciate if people would contact firstname.lastname@example.org before releasing an exploit into the public, rather than the other way around, so that we can decide on a timeline together," the spokesperson said.
Similar bugs have impacted Linux distros in the past
Over the past few years, there has been a whole class of security flaws impacting Linux desktop environments caused by libraries which handle the operations associated with displaying files or thumbnails inside the OS desktop GUI.
Bugs in parsing file metadata or rendering image thumbnails have often been found. Most of the time, these bugs occur without any user interaction and are triggered just by accessing the folder where the malicious file resides -- similar to the bug that Penner discovered.
For example, in November 2016, security researcher Chris Evans found that Fedora's Tracker and Gstreamer frameworks, part of Fedora's desktop environemnt, were allowing code execution when users accessed a folder containing malicious video files.
In 2017, German IT expert Nils Dagsson Moskopp found the "Bad Taste" vulnerability, which triggered code execution on Linux desktops utilizing the GNOME Files file viewer, when users viewed a Windows MSI file -- out of all things.
Penner's vulnerability is not unique, and certainly not unique to Linux systems. Problems with sanitizing file content and file metadata to remove possible hiding spots for malicious still plague Windows as well, and they'll likely plague operating systems for years to come.
Updated on August 6, 1:15pm ET, with comment from a KDE spokesperson.