ProHoster > Blog > internet news > Vulnerability in KDE allowing code execution when viewing a list of files
Vulnerability in KDE allowing code execution when viewing a list of files
In KDE identifiedvulnerability, allowing an attacker to execute arbitrary commands when a user browses a directory or archive containing specially crafted ".desktop" and ".directory" files. For an attack, it is enough for the user to simply view the list of files in the Dolphin file manager, upload a malicious desktop file, or drag a shortcut to the desktop or document with the mouse. The problem manifests itself in the current release of libraries KDE Framework 5.60.0 and older versions up to KDE 4. Vulnerability is still remainsuncorrected (CVE not assigned).
The problem is caused by an incorrect implementation of the KDesktopFile class, which, when processing the "Icon" variable without proper escaping, passes the value to the KConfigPrivate::expandString() function, which expands shell special characters, including treating the "$(..)" strings as commands to be executed . Contrary to the requirements of the XDG specification, the execution disclosure shell-constructs are made without separating the type of settings, i.e. not only when defining the command line of the application to be launched, but also when specifying icons that are displayed by default.
For example, to attack enough send the user a zip archive with a directory containing a ".directory" file of the form: