The vulnerability creates the possibility of unchecked, wormable supply-chain attacks. Affected are Pling-based marketplaces, such as AppImage Hub, Gnome-Look, KDE Discover App Store, Pling.com, and XFCE-Look.
“The native PlingStore application is affected by an RCE vulnerability, which can be triggered from any website while the app is running,” the researchers’ report said.
It is noteworthy that the researchers couldn’t reach the Pling team, and thus, they decided to publish their findings. However, the KDE Discover and Gnome Shell Extension teams quickly fixed other lower-severity flaws that were reported to them.
How did the researchers discover the Pling vulnerability?
The researchers recently analyzed the way popular desktop apps handle user supplied URIs, which led to the discovery of RCE flaws in several apps. One of these apps was KDE Discover App Store, which was identified with the CVE-2021-28117 vulnerability.
libdiscover/backends/KNSBackend/KNSResource.cpp in KDE Discover before 5.21.3 automatically creates links to potentially dangerous URLs (that are neither https:// nor http://) based on the content of the store.kde.org web site. (5.18.7 is also a fixed version.), the official advisory reveals.
During the research, other vulnerabilities in FOSS marketplaces were also uncovered.
“A wormable XSS with potential for supply chain attacks on Pling-based marketplaces, and a drive-by RCE affecting users of the PlingStore application are still exploitable as of 2021-06-22,” the report noted.
The PlingStore Vulnerability
The PlingStore app also contains an XSS flaw, which can be escalated to remote code execution.
This escalation is possible because the app can install other apps by default, using a built-in mechanism that executes code on the OS level. That same mechanism can be exploited by any website to run arbitrary native code, with the condition that the PlingStore app is open in the background.
Once the XSS is triggered within the app, the payload can create a connection to the local WebSocker server, thus sending messages to execute RCE. This is done by downloading and executing an AppImage file, the researchers explained.
What about browsers?
Browsers do not implement the Same-origin policy for WebSocket connections. Therefore, it’s important to validate the origin server-side or implement additional authentication over the WebSocket connection. With ocs-manager, this is not the case, which means that any website in any browser can initiate a connection to the WebSocket server, and ocs-manager will happily accept any commands sent, the report noted.
Are patches available?
Unfortunately, the researchers couldn’t reach the teams behind Pling/OpenDesktop/hive01 GmbH; thus they publicly disclosed the findings to alert users of the existing issues.