printer exploitation
13th Septembder 2019

KDE 4/5 Kdesktop File Command Injection

The KDE 4 and 5 (< 5.60.0) versions are found to be affected by the command injection vulnerability in the KdesktopFile class.

The .directory or .desktop file when instantiated fail to safely evaluate the parameters in the Icon parameter which can be abused by the attacker to obtain command injection.

Only by simply downloading or viewing the malicious file in the default Dolphin File manager the malicious file executes itself.

This functionality allows the KDE to load its icon by default.

When we combine this feature with the way KDE handles .desktop and .directory files, we can force the file to evaluate some of the entries within the [Desktop Entry] tag. Some of the entries in this tag include "Icon", "Name", etc.


You must have Kdesktop Environment running

Create a file called .directory in any folder with the below content:

[Desktop Entry] Type=Directory Icon[$e]=$(echo0>~/Desktop/rce&)

Now whenever the file is viewed either in Dolphin, or on the Desktop (or while browsing an SMB share) the command will execute.



  • Icon[$e] : Set an environment variable named Icon
  • echo 0 > ~/Desktop/rce & : Create a file on the Desktop named rce


Disable shell expansion / dynamic entries for [Desktop Entry] configurations.