Security researcher Dominik Penner disclosed a 0-day vulnerability in the Linux KDE desktop environment. According to Dominik, this vulnerability exists in the KDE v4 and v5 versions, which allows commands embedded in .desktop and .directory files to be executed when opening a folder or extracting a compressed folder to the desktop.
The .desktop and .directory files are profiles used by the freedesktop.org-compliant desktop environment to configure how applications and folders are displayed. The .desktop file is used to register the application in the KDE menu, and the .directory file is used to describe how KDE should display the folder.
In an interview with BleepingComputer, Dominik explained:
“KDE 4/5 is vulnerable to a command injection vulnerability in the KDesktopFile class. When a .desktop or .directory file is instantiated, it unsafely evaluates environment variables and shell expansions using KConfigPrivate::expandString() via the KConfigGroup::readEntry() function. Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop.”
The problem is mainly that KDE allows the Shell extension to dynamically generate values for fields via environment variables or execute commands.
“They use the same syntax as the freedesktop specification, however because they also allow the shell expansion (freedesktop doesn’t allow this ifself), it’s exploitable. It’s more of a design flaw than anything, the configuration syntax for .desktop and .directory files should be consistent with that of XDG (freedesktop)’s spec.
And yeah, any entry can be injected. Theoretically this could be exploited in a lot of other areas, however it’s easiest to get the entry read via icons”
Because it is currently not possible to turn off the KDE desktop’s shell extension to alleviate this issue, Dominik recommends that users check each .desktop or .directory file and disable any dynamic entries.