Cybersecurity researchers at Berlin-based infosec company Positive Security have identified two serious zero-day vulnerabilities impacting Pling-based FOSS (free and open-source software) marketplaces for Linux.
The vulnerabilities remain unpatched and can be exploited to launch supply-chain attacks or achieve RCE (remote code execution) against Linux marketplaces. The vulnerabilities were discovered in Opendesktop’s Pling. Positive Security’s co-founder Fabian Bräunlein explained in a technical blog published on Wednesday that:
“Linux marketplaces that are based on the Pling platform are vulnerable to a wormable [cross-site scripting] with potential for a supply-chain attack. The native PlingStore application is affected by an RCE vulnerability, which can be triggered from any website while the app is running.”
The apps affected by the vulnerabilities include the following:
PlingStore is a content manager and installer for OCS-compatible sites. It facilitates the installation of icon and desktop themes, mouse cursors, and wallpapers within desktop environments, e.g., KDE Plasma, Gnome, and XFCE. Users can search/install Linux software, icons, themes, and add-ons that might be unavailable for download via the distribution’s software hub.
How the Flaws were Discovered
According to Bräunlein, he discovered the flaw while testing the KDE Discover app store’s URI/Uniform Resource Identifier handling mechanism. He found a field that lets users embed media in a listing. This field looked like XSS “by design.”
According to Fabian, the XSS can be easily exploited since the stored XSS is triggered whenever someone visits the listing and doesn’t even need user interaction. Fabian also discovered that an RCE vulnerability impacts the PlingStore app that an attacker can trigger from any website if the app runs in the background.
“During the start, the PlingStore Electron app also launches a component which listens on a local socket for commands. There is no check whether the commands actually come from the Electron app, so any website can send such commands by initiating a WebSocket connection,” Fabian wrote in blog post.
Fabian advises users not to run the PlingStore Electron application and remove the AppImage file until the RCE is addressed.