Unpatched Linux Marketplace Bugs Allow Wormable Attacks, Drive-By RCE

A pair of zero-days affecting Pling-based marketplaces could allow for some ugly attacks on unsuspecting Linux enthusiasts — with no patches in sight.

An unpatched stored cross-site-scripting (XSS) security vulnerability affecting Linux marketplaces could allow unchecked, wormable supply-chain attacks, researchers have found.

The bug was found to affect Pling-based markets by researchers at Positive Security, including AppImage Hub, Gnome-Look, KDE Discover App Store, Pling.com and XFCE-Look.

To boot, the PlingStore application is affected by an unpatched remote code-execution (RCE) vulnerability, which researchers said can be triggered from any website while the app is running – allowing for drive-by attacks.

PlingStore is an installer and content-management application that acts as a consolidated digital storefront for the various aforementioned sites that offer Linux software and plugins. It allows users to download, install and apply desktop themes, icon themes, wallpapers, mouse cursors and so on directly using the “Install” button.

The Pling team could not be reached, according to Fabian Bräunlein with Positive Security, writing in a blog post on Tuesday – “which is why we have decided to publish these unpatched vulnerabilities in order to warn users,” he said.

Wormable XSS Linux Bug

The stored XSS bug was first discovered affecting KDE Discover. Stored XSS, also known as persistent XSS, occurs when a malicious script is injected directly into a vulnerable web application. Unlike reflected XSS, a stored attack only requires that a victim visit a compromised web page.

“While creating my own listing to test Discover’s URI handling, I stumbled upon a field that looked like XSS by design,” Bräunlein explained. “While a simple XSS payload did not work, it was sufficient to first add an iframe and then the malicious JavaScript payload in a separate line.”

“XSS by design.” Click to enlarge. Source: Positive Security.

After adding an XSS payload in the HTML code section, he found that the XSS could triggered when visiting a malicious listing in the affected marketplace.

Attackers could exploit the bug to modify active listings, or post new listings on Pling-based stores in the context of other users, resulting in a wormable XSS, the researcher warned.

“Besides the typical XSS implications, this would allow for a supply-chain attack XSS worm using a JavaScript payload that performs the following two steps: Upload a new (backdoored) version of their software; [and] change the metadata of the victim’s listings to itself include this malicious payload,” he said.

Essentially, any of the downloadable assets might be compromised, so users should be warned that any listing on any of the affected marketplaces could hijack a user’s account on the platform via XSS, Bräunlein said.

PlingStore RCE

The PlingStore app meanwhile also allows the XSS vulnerability to be triggered, according to Bräunlein – but the damage can also be escalated to RCE. That’s because the application by design can install other applications, with a built-in mechanism to execute code on the OS level.

“As it turns out, that mechanism can be exploited by any website to run arbitrary native code while the PlingStore app is open in the background,” he explained.

When the XSS is triggered inside the app, the payload can establish a connection to the local WebSocket server and send messages to execute arbitrary native code (by downloading and executing an AppImage file).

“When the PlingStore app is started, it also launches ocs-manager, a local WebSocket server that listens to messages from [the app],” Bräunlein explained. “ocs-manager implements various functions, that can be called by the [app] to retrieve information or trigger actions.”

He found that by combining three function calls, it’s possible to execute arbitrary code:

  • Call “ItemHandler::getItem” to download an AppImage from any URL as type bin
  • Call “ConfigHandler::getAppConfigInstallTypes” to leak the full bin directory path (by default in the home directory, thus dependent on the username)
  • Call “SystemHandler::openUrl” with the AppImage path as argument (implements special handling for AppImage files to execute them instead of starting them with the default application)

“Browsers do not implement the same-origin policy for WebSocket connections,” Bräunlein said. “Therefore, it’s important to validate the origin server-side or implement additional authentication over the WebSocket connection. With ocs-manager, this is not the case, which means that any website in any browser can initiate a connection to the WebSocket server, and ocs-manager will happily accept any commands sent.”

The researcher published a proof-of-concept exploit showing that the attack can be carried out by visiting a malicious website in any browser.

No Patches in Sight

Bräunlein said he first attempted to contact Pling in February, but after months of trying various avenues (including email to the “contact” address, support chats, phone calls to the organization and its CEO, and the creation of a support forum post), he decided to publicly disclose the issues.

One of the marketplaces, KDE Discover, was immediately responsive however, and published a patch and advisory in March.

“App Marketplaces are at the intersection of two worlds: User-provided content, mostly presented to the user with web technology; and managing and installing native applications,” Bräunlein concluded. “While No. 1 is usually considered highly untrusted and heavily sandboxed, App Store integrations create a bridge to No. 2, an area that requires a high level of trust. In this environment, even relatively small vulnerabilities (e.g. a missing origin check) can lead to severe consequences (drive-by RCE from any browser with the vulnerable application running in background). Developers of such applications must put in a high level of scrutiny to ensure their security.”

He urged users of Pling-based marketplaces to avoid using the PlingStore applications, and to log out of their accounts for the affected websites until the issues have been fixed.

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!

 

Suggested articles