Unpatched flaws exposing Linux marketplaces to remote attacks

The vulnerabilities remain unpatched and can be exploited to launch supply-chain attacks or achieve RCE against Linux marketplaces.
Unpatched flaws exposing Linux marketplaces to remote attacks

Cybersecurity researchers at Berlin-based infosec company Positive Security have identified two serious zero-day vulnerabilities impacting Pling-based FOSS (free and open-source software) marketplaces for Linux.

The vulnerabilities remain unpatched and can be exploited to launch supply-chain attacks or achieve RCE (remote code execution) against Linux marketplaces. The vulnerabilities were discovered in Opendesktop’s Pling. Positive Security’s co-founder Fabian Bräunlein explained in a technical blog published on Wednesday that:

“Linux marketplaces that are based on the Pling platform are vulnerable to a wormable with potential for a supply-chain attack. The native PlingStore application is affected by an RCE vulnerability, which can be triggered from any website while the app is running.”

Impacted Apps

The apps affected by the vulnerabilities include the following:

  • appimagehub.com,
  • store.kde.org,
  • gnome-look.org,
  • xfce-look.org,
  • pling.com.

PlingStore is a content manager and installer for OCS-compatible sites. It facilitates the installation of icon and desktop themes, mouse cursors, and wallpapers within desktop environments, e.g., KDE Plasma, Gnome, and XFCE. Users can search/install Linux software, icons, themes, and add-ons that might be unavailable for download via the distribution’s software hub.

How the Flaws were Discovered

According to Bräunlein, he discovered the flaw while testing the KDE Discover app store’s URI/Uniform Resource Identifier handling mechanism. He found a field that lets users embed media in a listing. This field looked like XSS “by design.”

Unpatched flaws exposing Linux marketplaces to remote attacks
Image: Positive Security

He then added an iframe and a malicious JavaScript payload in another line, which created a stored XSS. The issue was first reported to Opendesktop on Feb 24, and Fabian repeatedly sent follow-up emails, made a phone call, and posted on Pling’s chat forum. Until Jun 18, he received no response, so he warned the project managers that he would go public, and finally, he did so on Jun 22nd, 2021.

Attack Details

Fabian states this XSS can be used to “modify active listings, or post new listings on the Pling Store in the context of other users, resulting in wormable XSS.” It will also allow attackers to launch a supply chain attack. The malicious JavaScript payload will upload a backdoored software version to change the victim’s metadata and include the payload.

According to Fabian, the XSS can be easily exploited since the stored XSS is triggered whenever someone visits the listing and doesn’t even need user interaction. Fabian also discovered that an RCE vulnerability impacts the PlingStore app that an attacker can trigger from any website if the app runs in the background.

“During the start, the PlingStore Electron app also launches a component which listens on a local socket for commands. There is no check whether the commands actually come from the Electron app, so any website can send such commands by initiating a WebSocket connection,” Fabian wrote in blog post.

Fabian advises users not to run the PlingStore Electron application and remove the AppImage file until the RCE is addressed.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts