A new KDE vulnerability is found in the KDE desktop environment on Linux operating systems. A researcher named Dominik Penner disclosed the vulnerability.
The vulnerability present in the KDE framework could allow the attacker to use some malicious codes in the .desktop and .directory files in the Linux. These maliciously coded files can enable the attacker to run arbitrary commands on the operating system.
What makes this vulnerability so dangerous is that it does not require any user interaction. Your system can be compromised just by viewing the affected file in the file manager of your KDE in Linux.
The vulnerability affects KDE Plasma, which is one of the most widely used open-source desktop-environment that comes pre-installed on many of the Linux distributions such as openSUSE, Kubuntu, Manjaro and PCLinuxOS.
In KDE Plasma 4 & 5, there is a command injection flaw. This reason for this flaw is due to the way Plasma KDE handles .directory & .desktop files.
It is straightforward for the hacker to exploit the flaw as the researcher successfully demonstrated in their videos that how this flaw works.
The flaw that affects the KDE 5.60.0 and below packages is elementary to execute. It requires a little social engineering to trick your victim into just downloading an archive file that contains the malicious code.
According to the researcher, if the attacker gets control of the config entries and triggers their reading, RCE can be achieved by the hacker, allowing him to execute arbitrary codes.
The hacker tweeted, saying, “Command Injection fits in a tweet”:
The researcher uploaded the PoC without reporting it to KDE developers. KDE developers also noted that the patches are on their way to fix this issue.
The KDE developers moreover said that, if you ever find a vulnerability in KDE’s system then it is good to report us on [email protected] before making it public because black hat hackers can take advantage of that vulnerability.
Users are also advised to avoid downloading any .desktop or .directory files from any of the suspicious sources until the issue gets fixed.
The KDE developers have removed the feature of supporting shell commands in the Kconfig file.
The researchers said that the Kconfig could be used in the wrong way by the attacker to install such files and run malicious code without the user interaction.
The researchers further said:
As the new patched version is released, the users are supposed to update the KDE Framework 5, and kdeblis users are recommended to update the version to v4.14 to avoid being affected by this KDE vulnerability.