KDE archive tool flaw let hackers take over Linux accounts

A vulnerability exists in the default KDE extraction utility called ARK that allows attackers to overwrite files or execute code on victim's computers simply by tricking them into downloading an archive and extracting it. 

KDE is a desktop environment found in Linux distributions such as OpenSUSE, Kali, KUbuntu, and others that offers a graphical user interface to the operating system.

Discovered by security researcher Dominik Penner of Hackers for Change, a path traversal vulnerability has been found in the default ARK archive utility that allows malicious actors to perform remote code execution by distributing malicious archives.

Once a user opens the archive, the attacker can create autostarts that automatically launch programs that could encrypt a user's files with ransomware, install miners, or install backdoors that give remote attackers shell access to a victim's account.

Penner reported this vulnerability to the KDE security team on July 20th, 2020, and the bug was quickly fixed in Ark 20.08.0, which was released today.

As ARK is the default extractor in the KDE desktop environment and used in almost all Linux distributions, all users are advised to install the latest update as soon as possible.

Path traversal bug leads to code execution

The KDE desktop environment allows users to automatically start applications when a user logs into the operating systems.

These autostarts are configured by creating special .desktop files in the ~/.config/autostart folder that specifies what program should be executed on login.

For example, the desktop file shown below will automatically launch the 'konsole' application when a user logs into the desktop.

Penner discovered that the ARK archive utility fails to remove path traversal characters when decompressing an archive. This bug allowed him to create archives that could extract files anywhere a user has access.

"KDE Ark is vulnerable to an arbitrary write vulnerability leading to command execution via directory traversal. Ark fails to strip directory traversal characters when decompressing tar, gzip, bzip2, rar and zip files, ultimately allowing an attacker to silently write files into the ~/.config/autostart directory, leading to command execution on the next reboot. This vulnerability is more commonly referred to as a "Zip Slip" vulnerability," Penner wrote in a vulnerability report shared with BleepingComputer.

Using this bug, Penner created a proof of concept exploit that automatically creates KDE autostart configuration files simply by extracting a specially crafted archive in the current folder.

Once an autostart was created, the next time the computer is rebooted and a user logs into their account, the specified program will be executed, leading to remote code execution.

Testing the flaw

Penner shared a PoC with BleepingComputer, and in our tests, this vulnerability was incredibly easy to exploit.

Running the exploit, we are left with a specially crafted archive that payload.desktop autostart file in an archive whose extraction path includes path traversal characters.

For example: "../../../.config/autostart/hackersforchange.desktop".

When a user extracts the archive, ARK will utilize the above path traversal to create a file in ~/.config/autostart/hackersforchange.desktop, which launches xcalc the next time the user logs into the Linux KDE desktop.

You can see a demonstration of this PoC in action below.

Due to the simplicity of exploiting this vulnerability, all KDE users are advised to upgrade to Ark 20.08.0 or later.

This bug is not the first KDE vulnerability discovered by Penner.

In 2019, Penner discovered a vulnerability that would perform remote code execution by merely opening an extracted folder.

Penner is part of the not-for-profit Hackers for Change organization where security professionals volunteer their time to help small to medium-sized charities.

"Hackers for Change is a volunteer-run not-for-profit that was founded on the idea of bridging the gap between charities and good cyber security practices. We do this by educating and enabling small to medium-sized charities and other volunteer led projects to protect their computer and information systems from cyber attacks, allowing them to focus on maximizing their social impact," Penner told BleepingComputer in a conversation.

If you are a small charity or medium charity and are looking for security advice on better securing your systems so you can focus on your charitable works, you can contact Hackers for Change here.