A Berlin startup has disclosed a remote code execution (RCE) vulnerability and a wormable cross-site scripting (XSS) vulnerability in Pling, which is used by various Linux desktop theme markets.
Positive Security, which found the loopholes and not to be confused with Russia’s Positive Technologies, said the bugs were still present in the Pling code and its maintainers had not responded to vulnerability reports.
Pling is promoting itself as a marketplace for creatives to download Linux desktop themes and graphics, among other things, in the hope of making a few bucks from supporters. It consists of two parts: the code needed to run your own bling bazaar and an Electron-based app that users can install to manage their themes from a Pling souk. The web code contains the XSS, and the client has the XSS and an RCE. Pling powers a bunch of sites, from pling.com and store.kde.org to gnome-look.org and xfce-look.org.
The result is that criminals can exploit the XSS to download and modify resources like other users in the marketplaces, and the RCE can be abused by web pages and marketplaces to execute malicious code on a computer’s computer. victim.
“A wormable XSS with potential for supply chain attacks in Pling-based markets, and a drive-by RCE affecting PlingStore app users are still exploitable,” wrote Fabian Bräunlein of Positive on Tuesday.
Detailing how one of the flaws looked like “XSS by design,” Bräunlein said he came across it while testing KDE Discover’s handling of arbitrary URIs. KDE Discover, he explained, is a typical Linux desktop market based on the Pling platform.
“This stored XSS could be used to edit active ads or post new ads to the Pling store in the context of other users, resulting in a wormable XSS,” he wrote. While KDE corrected Discover in March following Bräunlein’s findings, Pling was less proactive.
As a result of this discovery, Bräunlein realized that the PlingStore Marketplace app was also vulnerable to XSS – “and from there it can probably be transferred to RCE when combined with a Bypass Tray. Electron sand “.
However, a bypass of the sandbox was not necessary. When executed, the application creates a local WebSocket server which is not secure. An XSS payload delivered from a theme marketplace, or any web page opened in a browser, can connect to that local server and use it to tell the software to retrieve and execute arbitrary malicious code. This means that accessing a trapped market list in the app or browsing a bad website with PlingStore in the background can result in malware running on your Linux PC through the Pling app, according to Positive. .
“When the XSS is triggered in the Electron app, the payload can establish a connection to the local WebSocket server and send messages to execute arbitrary native code,” Bräunlein wrote. And like the RCE provided by the web page, “exploitation is triggered by visiting a malicious website in any browser, while PlingStore is running in the background.”
The anonymous managers of Pling, who do not identify themselves on either Pling.com or the partner site opendesktop.org, did not respond to an email seeking comment. Bräunlein said he first tried to warn the programmers in February, and again and again afterwards, and nothing was done.