3032 – Konqueror arbitrary code execution from .desktop files

By default, Bugzilla does not search the list of RESOLVED bugs.
You can force it to do so by putting the upper-case word ALL in front of your search query, e.g.: ALL tdelibs
We recommend searching for bugs this way, as you may discover that your bug has already been resolved and fixed in a later release.

Bug 3032 - Konqueror arbitrary code execution from .desktop files

Summary: Konqueror arbitrary code execution from .desktop files

Status:	RESOLVED FIXED

Alias:	None

Product:	TDE
Classification:	Unclassified
Component:	tdebase (show other bugs)
Version:	R14.1.x [Trinity]
Hardware:	All Linux

Importance:	P5 critical
Assignee:	Timothy Pearson

URL:

Depends on:
Blocks:	R14.0.7
	Show dependency tree / graph

Reported:	2019-08-08 01:51 CDT by Sergey Frolov
Modified:	2019-08-08 19:41 CDT (History)
CC List:	3 users (show)

See Also:
Compiler Version:
TDE Version String:
Application Version:
Application Name:

Attachments
Screenshot of Konqueror creating a file in user home dir (72.26 KB, image/png) 2019-08-08 01:51 CDT, Sergey Frolov	Details
This desktop file will automatically execute `touch vulnerable-to-desktop-code-execution` (76 bytes, application/x-desktop) 2019-08-08 01:54 CDT, Sergey Frolov	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sergey Frolov 2019-08-08 01:51:46 CDT

Created attachment 2923 [details]
Screenshot of Konqueror creating a file in user home dir

Konqueror will automatically execute code from a .desktop or .directory file when navigating to a directory which contains said file.

Steps to reproduce: create test.desktop with following content:

[Desktop Entry]
Icon[$e]=$(touch${IFS}vulnerable-to-desktop-code-execution)


Upon (re)entering/reloading directory with Konqueror a file will be created in user home directory.

This is a critical vulnerability because it does not require any action from the user, not even setting execution bit. Only read permission is required.

All one needs to do to run a code on target machine is to place a file inside archive/removable storage.

Initial report: https://twitter.com/zer0pwn/status/1158433002239746048
https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt

Hotfix for KDE: https://phabricator.kde.org/D22979

Comment 1 Sergey Frolov 2019-08-08 01:54:18 CDT

Created attachment 2924 [details]
This desktop file will automatically execute `touch vulnerable-to-desktop-code-execution`

Comment 2 Sergey Frolov 2019-08-08 02:02:42 CDT

To get a sense, on how ubiquitous .directory files are: as of now there are 11,635 of them across repositories on GitHub

(running this search will require a login)
https://github.com/search?utf8=%E2%9C%93&q=HiddenFilesShown%3D+filename%3A.directory&type=Code&ref=advsearch&l=&l=

Comment 3 Slávek Banko 2019-08-08 19:41:32 CDT

Thank you for reporting. The problem has already been reported in TGW as issue TDE/tdelibs#45:
https://mirror.git.trinitydesktop.org/gitea/TDE/tdelibs/issues/45

And patch based on KDE Frameworks 5 kconfig patch for CVE-2019-14744 is now already merged from pull-request TDE/tdelibs#46:
https://mirror.git.trinitydesktop.org/gitea/TDE/tdelibs/issues/46