KDE 4/5 Kdesktop File Command Injection
The KDE 4 and 5 (< 5.60.0) versions are found to be affected by the command injection vulnerability in the KdesktopFile class.
The .directory or .desktop file when instantiated fail to safely evaluate the parameters in the Icon parameter which can be abused by the attacker to obtain command injection.
Only by simply downloading or viewing the malicious file in the default Dolphin File manager the malicious file executes itself.
This functionality allows the KDE to load its icon by default.
When we combine this feature with the way KDE handles .desktop and .directory files, we can force the file to evaluate some of the entries within the [Desktop Entry] tag. Some of the entries in this tag include "Icon", "Name", etc.
PROOF OF CONCEPT
You must have Kdesktop Environment running
Create a file called .directory in any folder with the below content:
[Desktop Entry] Type=Directory Icon[$e]=$(echo0>~/Desktop/rce&)
Now whenever the file is viewed either in Dolphin, or on the Desktop (or while browsing an SMB share) the command will execute.
- Icon[$e] : Set an environment variable named Icon
- echo 0 > ~/Desktop/rce & : Create a file on the Desktop named rce
Disable shell expansion / dynamic entries for [Desktop Entry] configurations.