CVE-2018-6791 | PoC | Arbitrary Command Execution in KDE Plasma

Introduction

An issue was discovered in KDE Plasma Workspace before 5.12.0. When a vfat thumb drive that contains \`\` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution. An example of an offending volume label is "$(touch b)" -- this will create a file called b in the home folder.

Lab Setup

  • Target OS : Linux Mint 18.3 running KDE Plasma 5.8
  • Attacker Machine : Kali Linux 2018.1

Vulnerability

The vulnerability exists in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumb drive that contains \`\` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution.
Let’s take a look at soliduiserver/deviceserviceaction.cpp

This is the original unpatched code in soliduiserver/deviceserviceaction.cpp


    void DelayedExecutor::delayedExecute(const QString &udi) {
    Solid::Device device(udi);
    QString exec = m_service.exec();
    MacroExpander mx(device);
    mx.expandMacros(exec);
    KRun::runCommand(exec, QString(), m_service.icon(), 0);
    deleteLater(); }
    

Here the code originally contains

 mx.expandMacros(exec);

This function allows arbitrary command execution and to patch this KDE replaced this line with

mx.expandMacrosShellQuote(exec);

Originally the device label is not quoted and is interpreted as a shell command, ShellQuote makes the device label quoted.

What is FAT

FAT is an acronym for File Allocation Table, Introduced in 1981. Because of its age, most operating systems, including Microsoft Windows NT, Windows 98, the Macintosh OS, and some versions of UNIX, offer support for FAT. The FAT file system limits to eight character. Filenames in a FAT file system must begin with a letter or number, and they can't contain spaces. Filenames aren't case sensitive.

What is VFAT

VFAT is an extension of the FAT file system and was introduced with Windows 95. VFAT maintains backward compatibility with FAT. For example, VFAT file names can contain up to 255 characters, spaces, and multiple periods. Although VFAT preserves the case of filenames, it's not considered case sensitive.

What is FAT32

FAT32 is actually an extension of FAT and VFAT, first introduced with Windows 95 OEM Service Release 2. FAT32 greatly enhances the VFAT file system. The greatest advantage to FAT32 is that it dramatically increases the amount of free hard disk space.

Proof of Concept