Members of the Kernal community have identified an unusually nonchalant attitude towards security in the Linuxfx distribution, which offers a build of Ubuntu with a Windows 11-styled KDE user environment. According to the project's website, the distribution has more than a million users and about 15 downloads this week. The distribution kit offers the activation of additional paid features, which is done through the introduction of a license key in a special graphical application.
A study of the license activation application (/usr/bin/windowsfx-register) showed that it includes a hardwired login and password for accessing an external MySQL DBMS, to which data about a new user is added. At the same time, the credentials used allow you to get full access to the database, including the “machines” table, which reflects information about all installations of the distribution kit, including user IP addresses. The contents of the "fxkeys" table with license keys and email addresses of all registered commercial users are also available. It is noteworthy that, in contrast to the claims of a million users, there are only 20 records in the database. The application is written in Visual Basic and runs using the Gambas interpreter.
The reaction of the distribution kit developers deserves special attention. After the publication of information about security problems, they released an update in which they did not fix the problem itself, but only changed the database name, login and password, and also changed the logic for obtaining credentials and tried to deal with program tracing. Instead of the credentials sewn into the application itself, the Linuxfx developers added the loading of database connection parameters from an external server using the curl utility. For protection after startup, a search and removal of all running "sudo", "stapbp" and "*-bpfcc" processes in the system is implemented, apparently believing that in this way they can interfere with the work of programs for tracing.
Source: opennet.ru