Remember Autorun.inf Malware In Windows? Turns Out KDE Offers Something Similar (zdnet.com) 85
Long-time Slashdot reader Artem S. Tashkinov writes:
A security researcher has published proof-of-concept (PoC) code for a vulnerability in the KDE software framework. A fix is not available at the time of writing. The bug was discovered by Dominik "zer0pwn" Penner and impacts the KDE Frameworks package 5.60.0 and below. The KDE Frameworks software library is at the base of the KDE desktop environment v4 and v5 (Plasma), currently included with a large number of Linux distributions.
The vulnerability occurs because of the way the KDesktopFile class (part of KDE Frameworks) handles .desktop or .directory files. It was discovered that malicious .desktop and .directory files could be created that could be used to run malicious code on a user's computer. When a user opens the KDE file viewer to access the directory where these files are stored, the malicious code contained within the .desktop or .directory files executes without user interaction — such as running the file.
Zero user interaction is required to trigger code execution — all you have to do is to browse a directory with a malicious file using any of KDE file system browsing applications like Dolphin.
When ZDNet contacted KDE for a comment Tuesday, their spokesperson provided this response.
"We would appreciate if people would contact security@kde.org before releasing an exploit into the public, rather than the other way around, so that we can decide on a timeline together."
The vulnerability occurs because of the way the KDesktopFile class (part of KDE Frameworks) handles .desktop or .directory files. It was discovered that malicious .desktop and .directory files could be created that could be used to run malicious code on a user's computer. When a user opens the KDE file viewer to access the directory where these files are stored, the malicious code contained within the .desktop or .directory files executes without user interaction — such as running the file.
Zero user interaction is required to trigger code execution — all you have to do is to browse a directory with a malicious file using any of KDE file system browsing applications like Dolphin.
When ZDNet contacted KDE for a comment Tuesday, their spokesperson provided this response.
"We would appreciate if people would contact security@kde.org before releasing an exploit into the public, rather than the other way around, so that we can decide on a timeline together."
Fixed yesterday (Score:4, Interesting)
From Release AnnouncementsKDE Frameworks 5.61.0 [kde.org] :
KConfig
Security: remove support for $(...) in config keys with [] marker // b.
Re: (Score:1)
This is still a critical vulnerability as no user interaction is basically required and there's no way to disable this "feature" before your distro pushes an update (and some Linux distros are not exactly agile in this regard).
Re: (Score:3, Insightful)
although "disclosing" an exploit by handing it to the press is about as unresponsible as disclosure can get.
Authors go from having 30-60 days to get a patch distributed, to having NO time. Forcing them to absolutely scramble to mitigate the damage is a real dick move.
Re: (Score:2)
Of course *this* way you draw a lot more attention to yourself than if you allow the problem to be quietly fixed.
Re: (Score:2)
Not really. KDE 3 was awesome. KDE 4, yeah, it sucked ass, but KDE 5 is coming along OK, if a bit on the slow side. Still missing some awesome features lost in the KDE 3->4 changeover though.
And don't go screaming at me about KDE and Plasma not being the same thing, because they are. Neither can do anything without the other, so when one speaks of the KDE 5 system, they're talking about both KDE 5 and Plasma 5.
Absolutely. Take down Wikipedia with one packet (Score:5, Interesting)
You're absolutely positively right. A few years ago I discovered a way to take down Wikipedia and other major web sites by sending a single packet. You wouldn't think you could take down a site hosted on multiple clusters, but there it was.
The name of this vulnerability? Didn't need name. Didn't need a website. Just needed to be fixed. You won't find press articles about it, because it was handled properly.
I contacted the project responsible for the vulnerable software. Their security team looked into it and within a day or two a fix was ready. The fix was deployed on major international targets such as Wikipedia. Later that day the team coordinated with distro maintainers such as Florian at Redhat to get the fix prepped in the distro update channels. After the update had been widely available for about a day it was time to explain what was being fixed.
It garnered no attention for me, and as far as we know there were no victims, because we handled it right.
I did get one benefit. Coincidentally, I had a job interview scheduled. The interviewer asked me if I had any experience with Ubuntu systems. I asked them if they get the Ubuntu security emails and asked them to look at the Ubuntu email that had been sent out a few hours before. The email from Ubuntu security began "Ray Morris discovered ...". The interviewer didn't feel the need to ask anymore about my Ubuntu experience. :)
Bad typing (Score:2)
I missed typing a few words. This:
You wouldn't think you could take down a site hosted on multiple clusters
Should say:
You wouldn't think you could take down a site hosted on multiple clusters +with one packet+
The packet caused the servers to start DOSing each other at maximum speed.
Re: (Score:1)
attackers don't wait weeks or months for the vendor to respond, and if you happen to be the first to figure it out, you can pretty much guarantee that someone else with less savory intentions is right behind you. If your goal is to help, the best way is to release publicly ASAP because it gives users the most time possible to mitigate incoming attacks as well as force the vendor to prioritize a fix.
The temporary "security through obscurity" of 'responsible disclosure' is a fool's game, and only works at all
Not a bad guess. Doesn't happen to be right (Score:3)
> If your goal is to help, the best way is to release publicly ASAP because it gives users the most time possible to mitigate incoming attacks as well as force the vendor to prioritize a fix.
That's not bad for a guess from a random reader of Slashdot.
Not a stupid idea.
Also doesn't happen to be right - I've been doing this full time for twenty years, so I've had the opportunity to see what actually happens in real life, many times.
I will point out that your suggestion of releasing the information before
Re: (Score:1)
You're right, it does give kiddies access, but it also gives admins access too. The worst possible outcome is admins not knowing the hole is there when they're attacked by those who've decided to exploit the vulnerability themselves.
Depending on security through obscurity and vendor charity is foolish. If you've been working in this field as long as you say, you ought to know that. I remember the squabbles over full disclosure vs 'responsible' disclosure years ago. I'm not convinced the current consensus on
Re:Not a bad guess. Doesn't happen to be right (Score:5, Insightful)
> I'm not convinced the current consensus on the latter benefits anyone but lazy vendors and those who want to capitalize on vulnerabilities
99% of those of us with any experience in the field are convinced.
One thing to keep in mind is that roughly 99.98% of attackers are script kiddies - they click to run a set of 10,000 prewritten exploits, they don't figure out any themselves. Those vast majority of bad guys exploit things AFTER public release often don't even know there is a new exploit added to the toolkit.
The immediate disclosure position depends on the argument that if there are a dozen people in the world who could theoretically find it, we should distribute an exploit to tens of thousands of bad guys.
Re: Not a bad guess. Doesn't happen to be right (Score:3)
Ray has been way more patient with you than you deserve, but you just won't stop digging. Your first paragraph there doesn't even have anything to do with that he said.
Re: (Score:2)
> Well then those admins aren't doing their jobs. They ought to be monitoring those public lists...oh right, they're all largely neutered now thanks to 'responsible' disclosure.
I think you mean that some admins don't do their job as quickly and recklessly as the very fastest script kiddie, who doesn't work 9-5.
> > we should distribute an exploit to tens of thousands of bad guys.
> Vs the knowledge remaining the exclusive domain of people who discover it
Yes, either only those who need to know actu
Re: (Score:2)
that's because he didn't address what I said in the previous post.
Re: (Score:2)
or it sits in an NSA database and is used for god knows what.
If you're an admin, don't you want to know where you're vulnerable, or are you going to trust that the vendor will look after your interests ahead of their own public image?
Re: (Score:2)
..and I'd still rather get an email from a vuln list on a monday morning than not hear about it for a few months when the vendor decides it's time.
Re: (Score:3)
> If you're an admin, don't you want to know where you're vulnerable
I'd much rather wait 2-3 or three days for everyone to know that I used to be vulnerable, than to have everyone know that I *am* vulnerable.
You're not a sysadmin either, are you?
Re: (Score:3)
> rather get an email from a vuln list on a monday morning
If you'd rather find out on Monday that you've been vulnerable, while all the bad guys found out on Saturday, and you won't have a fix until Friday, I'm going to guess you've never even *heard* the term TTC.
It takes *minutes* to *hours* for new exploits to be posted on the cracker forums. Once it's in Metasploit, unprotected AWS servers are, on average, exploited within MINUTES.
What you find out on Monday morning is that your company got utterly
Re: (Score:2)
I'm not convinced the current consensus on the latter benefits anyone but lazy vendors and those who want to capitalize on vulnerabilities.
Immediate disclosure doesn't penalize lazy vendors and help responsible vendors, it hurts all vendors and all of their customers. This doesn't mean that disclosure timelines should be arbitrarily long, but they should be long enough that responsible vendors can get fixes out before the exploits get packaged up in the the kiddies' toolkits.
Re: (Score:2)
Depending on security through obscurity
Relying SOLELY on security by obscurity is foolish. Relying on it forever is foolish. But in the short term, it's quite valuable. If there was nothing to security through obscurity, then every product with a flaw would have an attack in the wild the same day the product became available.
Of course, just handing it off to vendors and saying that's the end of it doesn't always work either. It's why, as v1 said above, responsible disclosure gives vendors an arbitrary time period (he used 30-60 days) to release
Re: (Score:2)
I will point out that your suggestion of releasing the information before any fix can be available *guarantees* that *everyone* using the software is vulnerable to every script kiddie on the planet. Obviously that's the worst possible outcome.
Users should feel the pain of using insecure software, so they are motivated to move to something more secure.
Re: (Score:2)
I will point out that your suggestion of releasing the information before any fix can be available *guarantees* that *everyone* using the software is vulnerable to every script kiddie on the planet. Obviously that's the worst possible outcome.
Users should feel the pain of using insecure software, so they are motivated to move to something more secure.
How do they find that?
Re: Not a bad guess. Doesn't happen to be right (Score:2)
Re: (Score:2)
I will bet you money that this WAS reported to the vendor (or shortly going to be) and someone else
Re: (Score:2)
During that time the NSA knew about it and likely got away using it because it was not disclosed. It's not guaranteed that someone else will figure it out, but it grows more likely with time, especially for holy-grail vulnerabilities that crooks and state-actors crave. Eventually, someone will use it, or, worse, has been using it all this time. Full disclosure forces earliest-possible resolution, either from the vendor, by admin mitigation/workaround, or by user migration from the broken software. The latte
Re: (Score:2)
attackers don't wait weeks or months for the vendor to respond, and if you happen to be the first to figure it out, you can pretty much guarantee that someone else with less savory intentions is right behind you.
Right, Open Source makes it easier for everybody to find bugs, not just white hat hackers.
Re: (Score:2)
I did get one benefit. Coincidentally, I had a job interview scheduled. The interviewer asked me if I had any experience with Ubuntu systems. I asked them if they get the Ubuntu security emails and asked them to look at the Ubuntu email that had been sent out a few hours before. The email from Ubuntu security began "Ray Morris discovered ...". The interviewer didn't feel the need to ask anymore about my Ubuntu experience. :)
Not the first time I read this from you here on Slashdot, and yet it still makes me chuckle :-)
One of my favorites (Score:2)
Thanks for mentioning that. It's probably my favorite interview story. (I've done a few interviews).
A few days ago an interviewer said they have several thousand machines, and asked what is the largest network I've had responsibilities for. "Well, there's Rackspace ...". I kinda wish that question had come AFTER I took the job with AT&T, which provides networking services to AWS and Google cloud. As far as I can tell, AT&Ts systems run not only the largest network in the world (AT&T itself),
Re: (Score:2)
Do you think would-be attackers will wait simply because disclosure is a 'dick move'? Write better software and you won't have as much of an issue.
Re: Fixed yesterday (Score:2)
Re: (Score:2)
None of us create bug free software.
This is not a bug. It is a major design flaw. It is something that is so obviously wrong and stupid that it never should have existed int he first place.
"When a user opens the KDE file viewer to access the directory where these files are stored, the malicious code contained within the .desktop or .directory files executes without user interaction"
In what bizarro parallel universe does designing something like that even make sense?
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Because you have never built something that seemed a good idea at the time, but turned out to have a major flaw, because you don't code.
Well what do the files usually do? I doubt that they started out with "let's execute code".
Looks like they were meant primarily as configuration files for the desktop and specific folders, hence the prefix . to make them hidden by default.
I doubt the original des
Re: (Score:2)
Not if the response was 'will not fix' after a 'responsible disclosure'. The userbase still doesn't know it is vulnerable and the vendor is not under as much pressure to fix it.
Re: (Score:2)
Re: (Score:2)
Yes, I'm aware that's what's supposed to happen.
Re: (Score:1)
Re: (Score:2)
No. We were talking about what impacts that particular security model has. Then people started getting personal. I said it's better to know sooner, even if would-be attackers find out as well. You disagree and would rather everyone fly on ignorance while the vendors (and possibly governments) dally about. You're welcome to your opinion.
Re: (Score:1)
Re: (Score:2)
I reread the thread. You're right. I misread part of what you said. I apologize.
Re: (Score:1)
Re: (Score:1)
"We would appreciate if people would contact security@kde.org before releasing an exploit into the public"
We would appreciate it if you wouldn't do things this stupid.
Re: (Score:2)
Hey buddy, I remember you from a previous article. Glad you continue to log in and contribute to the discourse :)
Preferences (Score:3)
"We would appreciate if people would contact security@kde.org before releasing an exploit into the public, rather than the other way around, so that we can decide on a timeline together."
Yeah, and users would prefer software that didn't have sophomoric mistakes like failing to do input verification, but we don't all get what we want, do we? What other amateur hour glaring mistakes are in KDE?
Re: Preferences (Score:2)
Look on the bright side; this is proof that Linux on the Desktop is finally catching up to windows. Just wait until KDE XP hits the shelves!
Re: (Score:3)
Give the scope of just how much of KDE is affected by it and for how long it has been, the benefit of doubt for this mistake goes to KDE for remaining undiscovered so long. Maybe the amateurs are security researchers?
We can't all be perfect like you.
Re: (Score:2)
We can't all be perfect like you.
This isn't about perfection. This is about easily avoided errors which don't happen at all if you use best practices.
mostly doesn't matter (Score:2, Interesting)
KDE is dying, distros are tossing it out, only one developer making daily commits last time I looked
not pining for the fpords, it's shuffled off the mortal coil
Re: (Score:3)
KDE is dying, distros are tossing it out, only one developer making daily commits last time I looked
Another crippling bombshell hits the KDE community. Netcraft confirms it, right?
Re: (Score:2)
Linux Mint dumping it was the latest big bombshell, being the most popular desktop distro.
Re: (Score:3)
Re: (Score:2)
Eeewwwwwww, GNOME3 is infexlible garbage, it's why MATE forked off of GNOME2 and Cinnamon built on GNOME3 libraries.
I wasn't saying anything about how good KDE is, by the way. I can see why some people like it. It's just not enough people are liking it.
Anyway, plenty of other great desktops out there.
Re: (Score:2)
Try LXDE. It mostly resembles Gnome 2 and doesn't take up too much space.
I have a better one - .profile (Score:2)
How about the .profile in user's home directory - that gets executed upon login (or, better yet, .bashrc - on every shell launch), quietly and without any user interaction, on pretty much any Unix-like system. I mean, that's a giant security hole, amirite?
Re: (Score:2)
depends, what do the permissions on your .profile look like? Is it a chaste virgin with its legs crossed sitting behind its father wielding a shotgun, or is it a drunk whore lying on the floor of the Queens New York bus stop's men's room without knickers and it's legs spread?
Re: (Score:2)
A bounds checking failure in a shell would be news. Do you have one to report?
No news here (Score:4, Interesting)
NO?! THE OPEN SOURCE COMMUNITY RELEASED SOMETHING THAT'S CRAP? YOU DON'T SAY...
Listen, I don't think that OpenSource is bad, in fact I think it's really good.
But the community is not healthy. Many open source projects lack polish and direction making them unusable for anyone other than the people most familiar with the software.
Look at Audacity, VLC or almost any Linux distro. There is so much tribal knowledge, and so many layers of crap you have to go through. Because everyone wants to do it their way, there is no consensus, and no focus on polish or simplicity.
Audacity breaks every normal paradyme for an audio NLE, VLC is half stuck between being a terminal utility and a GUI media player, and don't even get me started on Linux, or the beloved Ubuntu, riddled with stupid bugs, like not being able to change your hostname during the installer without causing problems once it's installed, or having to dig through 3-4 layers of configuration files to change one network interface.
WHY? There is no need for any of that, but people just keep piling crap on top of crap, or breaking convention because they are too lazy or think it's too inconvenient for them to follow convention.
It's problematic and is the key reason why the masses don't use open source software regularly, or donate to open source projects.
Now, I know, I'm on Slashdot, and we love our open source software on here. But we're not the norm.
Normal people can't be bothered to dig through three layers of config files to change a hostname or set an IP address, normal. people will tap space and expect their NLE to toggle between play and pause, normal people would expect VLCs conversion functions that are in the GUI it actually work, and not have to resort to using the terminal to use VLC when really all it does is use ffmpeg anyways.
It's crazy and is holding our community back.
What does this have to do with KDE? Well, if everyone stuck to a well established convention, then we wouldn't have weird flaws like this, because we'd all be using the same well tested conventions that has everyone's eyes on them, not just a niche group that prefer one thing over the other.
It's like, open source is supposed to be about how people can work together to release and maintain something for free, because it's maintained by the same people who use it, and anyone can contribute.
But what it really shows is how fragmented everything is, and how no one works together, fragments and forks everything until the point where you have 20 ways to do the same thing, all of which suck, and none of which have overlapping features being a situation where you're always splitting the difference and never truly happy.
It's a shame, and we can and should be doing better.
Re: No news here (Score:1)
Look at Audacity, VLC or almost any Linux distro. There is so much tribal knowledge, and so many layers of crap you have to go through.
That's retarded. I was able to use both of them without any issues the first time I tried them. Hell, for YEAR my default response to friends, family, and random users on the net who were having issued playing media files was "install VLC". And the response 5 minutes later was invariably " wow, thanks!".
If you think that using VLC requires "tribal knowledge" I suspect that there's still a VCR in your house flashing 12:00
Re: (Score:2)
Hahaha, so you're resorting to insults because you don't like what I said and can't challenge it with facts? Well done.
If you don't know of the CLI only functions in VLC (which make up the majority of the features of VLC) you don't know VLC well. VLC effectively is a GUI tool, that 90% of it's functions are accessed via the CLI only.
That's dumb.
Re: No news here (Score:1)
Er. I responded with facts, and no insults. I said your argument was retarded, and then explained why. I didn't say that you are retarded ... though, thanks to your followup, I'm starting to lean in that direction.
Re: (Score:2)
That's retarded.
I suspect that there's still a VCR in your house flashing 12:00
Er. I responded with facts, and no insults.
Oh, so I should think that these are compliments, and that they are your way of you suggesting that I'm highly intelligent?
Well, let me try it your way: Go fuck yourself you assholish sack of shit. You probably don't have two neurons between your ears to be able to rub them together to start a fire. Stop wasting my air by breathing it, I need it more than you do.
Am I doing it right?
Oh, no, I wasn't insulting you, I was just saying I think your points are assholish and make you look like a peice of shit. Not
Re: No news here (Score:2)
Yeah, you're definitely an idiot. I can see why you can't figure out how to use incredibly simple programs which even my mother has no issues with.
Re: (Score:2)
And you're proving my point.
Re: (Score:2)
If you don't know of the CLI only functions in VLC (which make up the majority of the features of VLC) you don't know VLC well. VLC effectively is a GUI tool, that 90% of it's functions are accessed via the CLI only.
So? It's plenty useful even if you do nothing with the keyboard, ever. Most people will only ever use it to play video files they have downloaded, which is fine. It's possibly the best single tool that there is for that. There is a related problem, though. The problem is, there's no help. The help option refers you to the Wiki. If VLC's only purpose were to stream from the internet, it would make sense not to have any help file. It isn't. It doesn't. It seems like they could easily distill the Wiki into a h
Re: (Score:2)
It's possibly the best single tool that there is for that.
Sure, but that's not a particularly high bar.
There where other closed source pay apps that did it better, but they aren't being maintained anymore.
At the end of the day, VLC is just a GUI wrapper for ffmpeg, and not much of one at that, since so many things need to be done via the CLI.
Like, what's the point? It's not 2005 anymore, and in Windows, the built in media player is good enough for 90% of the media that's out there.
Re: (Score:2)
There where other closed source pay apps that did it better,
Name one.
but they aren't being maintained anymore.
Oh, how useful.
At the end of the day, VLC is just a GUI wrapper for ffmpeg, and not much of one at that, since so many things need to be done via the CLI.
By all means, make a better skin, and contribute it.
Like, what's the point? It's not 2005 anymore, and in Windows, the built in media player is good enough for 90% of the media that's out there.
Some of us don't want to run Windows, or even if we do, don't want to chase codecs.
Re: (Score:2)
Movist for mac os was pretty good back in the day.
Listen, I'm not denying that VLC is useful, but it's by no measure a good application.
It's likely the best one, but again' that isn't saying much.
Re: (Score:2)
If you don't know of the CLI only functions in VLC (which make up the majority of the features of VLC) you don't know VLC well
Do you NEED them? Does the average user need them? I used to use VLC all the time, and I've never used any of the CLI features. VLC has its problems, but CLI options doesn't come close to the top.
Re: (Score:2)
That wasn't the point of my statement.
It's need or uses isn't really the point, the point is that the majority of VLCs functions are uselessly complex for the average user.
The only part that's simple in VLC is that it autoplays a file that gets opened with it.
But try using any of the other functions, like conversion, or streaming, or transcoding, and you're going to have a bad time.
In some cases, yes, you do need the other features. If you every try to do a batch convert of some media files, it will fail if
Re: (Score:2)
Normal people can't be bothered to dig through three layers of config files to change a hostname or set an IP address,
Normal people don't set IP addresses :-)
Also, have you seen the maze you need to navigate to get to some configurations in Windows? Not to mention the abomination that's called the Registry?
I do agree with some of your points, but the configuration especially on Linux is far, far ahead of anything that windows offers.
Re: (Score:2)
I mean... You're right, Window's network settings are way too convoluted. But at least it auto-configures when you plug in a new NIC.
Last I set up Ubuntu Server, I went straight for /etc/network/interfaces, just to find out that it's configured by another service...
When I finally found that services config file, I found out that it's configured by another service too. Three layers of config files later, I was able to configure my NIC, and whenever I googled it, the answer was "just use /etc/network/interfac
Thanks, KDE. And Gnome (Score:4, Insightful)
Re: (Score:2)
Many people have been saying that for years. Especially about KDE, which is basically a windows copy. Gnome at least had the guts to here and there have its own ideas.
It is rare that someone conquers a market by copying the market leader, and when it happens it is usually because of superior marketing budget. Whoever thought that making Linux like windows would make it appeal to more people didn't understand why people are using Windows - or Linux - in the first place.
But, as I said, lots of us have been sa
Re: (Score:2)
Re: (Score:2)
Zero user interaction? (Score:2)
Zero user interaction is required to trigger code execution — all you have to do is to browse a directory
Strange definition of zero user interaction.
It still assumes a system with a GUI desktop running KDE and that user browsing a directory containing files not under his or her control. Such file must be placed on the system in the first place too, requiring the user for example to download it or mounting a device like dvd or usb key. I'd say for all those things to come into play a user is needed.
Re: Zero user interaction? (Score:2)
Yeah you pretty much have to plug in a suspicious usb drive you found on the street for this to be an issue, and in that case you are already open to a million other attacks
YAY (Score:1)
Now I can enjoy one extra feature Windows has!
Poor behavior (Score:2)
Re: (Score:1)
Easy attack ...? (Score:2)
"Just" requires a user to download an odd file, or possibly a ZIP file and unpack it - Most modern KDE distributions have trained users to not do this as software is so much simpler to install from a repository ...