You won't want that Linux bling if it comes from Pling: Marketplace platform has critical vulnerabilities

No one wants to be pwned by a drive-by RCE


A Berlin startup has disclosed a remote-code-execution (RCE) vulnerability and a wormable cross-site-scripting (XSS) flaw in Pling, which is used by various Linux desktop theme marketplaces.

Positive Security, which found the holes and is not to be confused with Russia’s Positive Technologies, said the bugs are still present in the Pling code and its maintainers have not responded to vulnerability reports.

Pling presents itself as a marketplace for creative folk to upload Linux desktop themes and graphics, among other things, in the hope of making a few quid from supporters. It comes in two parts: code needed to run your own bling bazaar, and an Electron-based app users can install to manage their themes from a Pling souk. The web code has the XSS in it, and the client has the XSS and an RCE. Pling powers a bunch of sites, from pling.com and store.kde.org to gnome-look.org and xfce-look.org.

The upshot is that miscreants can exploit the XSS to upload and modify resources as other users on marketplaces, and the RCE can be abused by webpages and marketplaces to execute malicious code on a victim's computer.

“A wormable XSS with potential for supply chain attacks on Pling-based marketplaces, and a drive-by RCE affecting users of the PlingStore application are still exploitable,” wrote Positive’s Fabian Bräunlein on Tuesday.

Detailing how one of the flaws looked like “XSS by design,” Bräunlein said he stumbled across it while testing KDE Discover’s handling of arbitrary URIs. KDE Discover, he explained, is a typical Linux desktop bling marketplace based on the Pling platform.

Invoking the vuln was straightforward: Bräunlein navigated to KDE Discover's upload page for new creations, and pasted a JavaScript-based XSS payload into one of its fields, wrapped inside an iframe.

“This stored XSS could be used to modify active listings, or post new listings on the Pling store in the context of other users, resulting in a wormable XSS,” he wrote. While KDE patched Discover in March following Bräunlein’s findings, Pling was less proactive.

RCE-hunting

Following on from that discovery, Bräunlein realized the PlingStore marketplace application was also vulnerable to the XSS – “and from there, can likely be escalated to RCE when combined with an Electron sandbox bypass.”

However, a sandbox bypass wasn't needed. When run, the app creates a local WebSocket server that is insecure. An XSS payload delivered from a theme marketplace, or any webpage opened in a browser, can connect to this local server, and use it to tell the software to fetch and run arbitrary malicious code. That means accessing a booby-trapped marketplace listing in the app, or surfing to a bad website with PlingStore running in the background, can lead to malware running on your Linux PC via the Pling application, according to Positive.

“When the XSS is triggered inside the Electron app, the payload can establish a connection to the local WebSocket server and send messages to execute arbitrary native code,” wrote Bräunlein. And as for the webpage-delivered RCE, “exploitation is triggered by visiting a malicious website in any browser, while PlingStore is running in the background.”

Pling’s anonymous maintainers, who do not identify themselves on either Pling.com or sister site opendesktop.org, did not respond to an email seeking comment. Bräunlein said he first tried tipping off the programmers in February, and again and again thereafter, and nothing was done.

While Electron is quite useful for making cross-platform apps out of JavaScript, HTML, and CSS, it does need to be secured requiring developers who know what they're doing. “My fundamental complaint with Electron is that relatively basic usage still demands that non-security devs understand the full security properties of their system and scope broker usage appropriately," said an engineering director for Google Chrome in 2020 after an RCE vulnerability in Electron-based desktop Slack app came to light. ®

Similar topics


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading

Biting the hand that feeds IT © 1998–2022