Unpatched KDE vulnerability disclosed on Twitter

Just viewing --not running-- a malicious .desktop or .directory file inside a file browser can run malicious code on a user's system.
Written by Catalin Cimpanu, Contributor
Image credits: KDE (logo), Kubuntu (background)

A security researcher has published proof-of-concept (PoC) code for a vulnerability in the KDE software framework. A fix is not available at the time of writing.

The bug was discovered by Dominik "zer0pwn" Penner and impacts the KDE Frameworks package 5.60.0 and below.

The KDE Frameworks software library is at the base of the KDE desktop environment v4 and v5 (Plasma), currently included with several Linux distributions such as Kubuntu, openSUSE, OpenMandriva, Chakra, KaOS, and others.

How the vulnerability works

The vulnerability occurs because of the way the KDesktopFile class (part of KDE Frameworks) handles .desktop or .directory files.

Penner discovered that he could create malicious .desktop and .directory files that could be used to run malicious code on a user's computer.

When a user opens the KDE file viewer to access the directory where these files are stored, the malicious code contained within the .desktop or .directory files executes without user interaction -- such as running the file.

"Browsing to a folder via Dolphin (the KDE GUI file manager) which contains a malicious .desktop file is enough to get code execution," Alex Murray, Tech Lead for the Ubuntu Security team, told ZDNet, after we asked him to verify the vulnerability yesterday.

In a technical write-up of the bug that Penner published on GitHub, the researcher says the vulnerability can be used to place shell commands inside the standard "Icon" entries found in .desktop and .directory files

The researcher said KDE "will execute our command whenever the file is viewed." A demo of an attack is available below, recorded by Penner.

Some social engineering needed, but it's an easy attack

The exploitation scenario involves some social engineering to trick a user into downloading these malicious files, but the advantage to this technique is that the user does not have to interact or open these files.

Some security experts have played down the bug's importance because it requires tricking users into downloading .desktop and .directory files -- both of which are very uncommon downloads and will arrouse suspicions with most tech-savvy Linux users.

However, Murray told us the malicious files can also be hidden inside ZIP or TAR archives. A user might think he's downloading an archive of legitimate files, but be unaware that it may also hide malicious .desktop or .directory files.

Once the user unzips the archive and views its content, the malicious code executes without the target's knowledge or the target having to take any other actions.

Furthermore, exploit kits can also be employed to download the file on users' systems without interaction.

Researcher did not notify KDE team

In an interview with ZDNet yesterday, Penner explained the motives of publishing the details around this bug without contacting the KDE team beforehand.

"I mainly just wanted to drop a 0day before Defcon [a security conference]," Penner told us. "I do plan on reporting it, but the issue is more of a design flaw than an actual vulnerability, despite what it can do."

"To be honest, I was debating on going into the code and making the change myself considering KDE is open source," Penner said.

ZDNet notified two members of the KDE team about this vulnerability yesterday. A KDE spokesperson provided the following reply:

"We would appreciate if people would contact security@kde.org before releasing an exploit into the public, rather than the other way around, so that we can decide on a timeline together," the spokesperson said.

Similar bugs have impacted Linux distros in the past

Over the past few years, there has been a whole class of security flaws impacting Linux desktop environments caused by libraries which handle the operations associated with displaying files or thumbnails inside the OS desktop GUI.

Bugs in parsing file metadata or rendering image thumbnails have often been found. Most of the time, these bugs occur without any user interaction and are triggered just by accessing the folder where the malicious file resides -- similar to the bug that Penner discovered.

For example, in November 2016, security researcher Chris Evans found that Fedora's Tracker and Gstreamer frameworks, part of Fedora's desktop environemnt, were allowing code execution when users accessed a folder containing malicious video files.

A month later, Evans found another similar bug that impacted both Fedora and Ubuntu, this time, exploitable via audio files.

In 2017, German IT expert Nils Dagsson Moskopp found the "Bad Taste" vulnerability, which triggered code execution on Linux desktops utilizing the GNOME Files file viewer, when users viewed a Windows MSI file -- out of all things.

Penner's vulnerability is not unique, and certainly not unique to Linux systems. Problems with sanitizing file content and file metadata to remove possible hiding spots for malicious still plague Windows as well, and they'll likely plague operating systems for years to come.

Updated on August 6, 1:15pm ET, with comment from a KDE spokesperson.

Updated on August 8 to add that the KDE team has released a fix.

10 super sweet laptops that come with Linux pre-installed

More vulnerability reports:

Editorial standards