This flaw in KDE archive tool let hackers take over Linux Accounts

This flaw in KDE archive tool let hackers take over Linux Accounts

A flaw exists in the default KDE extraction utility called ARK that allows attackers to overwrite files or execute code on victim's host machine simply by tricking them into downloading an archive and extracting it. KDE is a desktop environment found in Linux distributions such as Kali, OpenSUSE, KUbuntu, and others distributions that offers a graphical user interface to the operating system.

The flaw was discovered by Dominik Penner (Security researcher at Hackers for Change), a path traversal bug has been found in the default ARK archive utility that allows malicious actors to perform Remote Code Execution (RCE) by distributing malicious archives.

Once a user opens the archive, the threat actor can create autostarts that automatically launch programs that could encrypt a user's files with ransomware, install backdoors or install miners that give remote hackers shell access to a victim's account. Dominik Penner reported this flaw to the KDE security team on 20 July 2020, and the flaw was quickly fixed in Ark 20.08.0, which was released today.

As ARK is the default extractor in the KDE desktop environment and used in almost all distributions of Linux, all linux users are advised to install the latest update as soon as possible.

Path Traversal flaw leads to Code Execution

The KDE desktop environment allows users to automatically start applications when a user logged into the operating systems. These autostarts are configured by creating special .desktop extension files in the ~/.config/autostart folder that specifies what program should be executed at login.

For example, the .desktop file shown below will automatically launch the konsole.desktop application when a user logs into the desktop.

This flaw in KDE archive tool let hackers take over Linux Accounts
Konsole autostart

Dominik Penner discovered that ARK archive utility fails to remove path traversal characters when decompressing an archive. This flaw allowed him to create archives that could extract files anywhere a user has access.

KDE Ark is vulnerable to an arbitrary write bug leading to command execution via directory traversal. Ark fails to strip directory traversal characters when decompressing tar, rar, gzip, zip and bzip2 files, ultimately allowing threat actors to silently write files into the ~/.config/autostart directory, leading to command execution on the next reboot. This bug is more commonly referred to as a "Zip Slip" vulnerability.

Using this vulnerability, Dominik Penner created a proof of concept exploit that automatically creates KDE autostart configuration files simply by extracting a specially crafted archive in the current folder. Once an autostart was created, the next time the computer is rebooted and a user logs into their account, the specified program will be executed, leading to remote code execution (RCE).

Proof of Concept

Dominik Penner shared a PoC, and in the tests, this flaw was incredibly easy to exploit. Running the exploit, they are left with a specially crafted archive that payload.desktop autostart file in an archive whose extraction path includes path traversal characters. For example: "../../../.config/autostart/hackersforchange.desktop".

When an user extracts the archive, ARK will utilize the path traversal mentoned above to create a file in ~/.config/autostart/hackersforchange.desktop, which launches xcalc the next time the user logs into the Linux KDE desktop.

This flaw in KDE archive tool let hackers take over Linux Accounts
Autostart installed by PoC to start Xcalc

You can also see a demo Video POC of this vulnerability. Due to the simplicity of exploiting this bug, all KDE users are advised to upgrade to Ark 20.08.0 or later versions.

Does this article being helpful to you? Let us know your thoughts in the comments section and share it with us on Facebook, Twitter, or our LinkedIn Group.


Previous Post Next Post