Security researcher warns against running PlingStore Electron or visiting affected websites
A pair of serious zero-day vulnerabilities in Opendesktop’s Pling could result in drive-by remote code execution (RCE) and supply chain attacks against Linux marketplaces based on the platform.
Having failed to elicit a response from the project maintainers, security researcher from Berlin-based infosec firm Positive Security disclosed the flaws in a bid to warn users of the threat.
Affected Pling-based app stores include appimagehub.com, store.kde.org, gnome-look.org, xfce-look.org, and pling.com.
Pling-Store is an installer and content management app for OCS-compatible websites that allows the installation of desktop and icon themes, wallpapers, and mouse cursors within desktop environments such as KDE Plasma, Gnome, and XFCE.
‘XSS by design’
Recounting how he discovered the flaws, Fabian Bräunlein, security researcher and managing director at Positive Security, says that while testing the KDE Discover app store’s Uniform Resource Identifier (URI) handling, he stumbled across a field allowing users to embed media in a listing. The field, he says, “looked like XSS by design”.
Adding an iframe and then a malicious JavaScript payload in a separate line created a stored XSS “that could be used to modify active listings, or post new listings on the Pling store in the context of other users, resulting in a wormable XSS”.
Read more of the latest Linux security news and analysis
This, he says, would allow for a supply chain attack whereby a JavaScript payload uploads a backdoored, software version that changes the metadata of the victim’s listings to include the malicious payload.
“The XSS is very easy to exploit. Bypassing any protection or filtering was trivial,” Bräunlein tells The Daily Swig. “The stored XSS is triggered simply when someone visits the listing – no user interaction is required.”
RCE exploit
Meanwhile, Bräunlein found, the native PlingStore application is affected by an RCE vulnerability that can be triggered from any website while the app is running in the background.
“During the start, the PlingStore Electron app also launches a component which listens on a local socket for commands. There is no check whether the commands actually come from the Electron app, so any website can send such commands by initiating a WebSocket connection,” he says.
“As this component is also used to install applications, some of the commands allow downloading and executing binary files.”
Timeline
The disclosure process did not run smoothly – indeed, Bräunlein describes it as “surprising and disappointing”.
He first reported the issue via an email sent to Opendesktop on February 24, and followed up repeatedly with further emails, a phone call, a forum post (now locked), and via Pling’s chat service.
On 18 June, having received no response, he warned the project maintainers through several of these lines of contact that he was about to go public, finally doing so on 22 June.
The Daily Swig has also contacted Opendesktop’s maintainers for comment, and will update this story in the event of a reply.
Bräunlein advises users not to run the PlingStore Electron application – or, even better, remove the AppImage file – unless and until the RCE is fixed.
And, with any listing on the affected stores capable of hijacking accounts on the platform via XSS, potentially compromising any downloadable assets, users of the affected websites are best advised to log out of their accounts and stay away from the domains unless the issues are remediated.
DON’T FORGET TO READ CSP bypass: How one Chrome XSS bug took 2.5 years and an HTML spec change to fix
