An unpatched stored cross-site-scripting (XSS) security vulnerability affecting Linux marketplaces could allow unchecked, wormable supply-chain attacks, researchers have discovered.
Several zero-days affecting Pling-based marketplaces could allow for some ugly attacks on unsuspecting Linux enthusiasts — with no patches in sight.
The bug was found to affect Pling-based markets by researchers at Positive Security, including AppImage Hub, Gnome-Look, KDE Discover App Store, Pling.com & XFCE-Look.
Remote Code-Execution
Also, the PlingStore application is affected by an unpatched remote code-execution (RCE) vulnerability, which researchers said can be triggered from any website while the app is running – allowing for drive-by attacks.
PlingStore is an installer & content-management application that acts as a consolidated digital storefront for the various mentioned sites that offer Linux software & plugins. It allows users to download, install & apply desktop themes, icon themes, wallpapers, mouse cursors & so on directly using the “Install” button.
The Pling team could not be reached, according to Fabian Bräunlein with Positive Security, writing in a blog post on Tues. – “which is why we have decided to publish these unpatched vulnerabilities in order to warn users,” he observed.
Wormable XSS Linux Bug
The stored XSS bug was 1st discovered affecting KDE Discover. Stored XSS, also known as persistent XSS, occurs when a malicious script is injected directly into a vulnerable web application. Unlike reflected XSS, a stored attack only requires that a victim visit a compromised web page.
“While creating my own listing to test Discover’s URI handling, I stumbled upon a field that looked like XSS by design,” Bräunlein explained. “While a simple XSS payload did not work, it was sufficient to first add an iframe & then the malicious JavaScript payload in a separate line.”
HTML Code
After adding an XSS payload in the HTML code section, he found that the XSS could triggered when visiting a malicious listing in the affected marketplace.
Attackers could exploit the bug to modify active listings, or post new listings on Pling-based stores in the context of other users, resulting in a wormable XSS, the researcher warned.
“Besides the typical XSS implications, this would allow for a supply-chain attack XSS worm using a JavaScript payload that performs the following 2 steps: Upload a new (backdoored) version of their software; & change the metadata of the victim’s listings to itself include this malicious payload,” he commented.
Essentially, any of the downloadable assets might be compromised, so users should be warned that any listing on any of the affected marketplaces could hijack a user’s account on the platform via XSS, Bräunlein stated.
PlingStore RCE
The PlingStore app meanwhile also allows the XSS vulnerability to be triggered, according to Bräunlein – but the damage can also be escalated to RCE. That is because the application by design can install other applications, with a built-in mechanism to execute code on the OS level.
“As it turns out, that mechanism can be exploited by any website to run arbitrary native code while the PlingStore app is open in the background,” he outlined.
WebSocket Server
When the XSS is triggered inside the app, the payload can establish a connection to the local WebSocket server & send messages to execute arbitrary native code (by downloading & executing an AppImage file).
“When the PlingStore app is started, it also launches ocs-manager, a local WebSocket server that listens to messages from the app,” Bräunlein explained. “ocs-manager implements various functions, that can be called by the app to retrieve information or trigger actions.”
Arbitrary Code
He found that by combining 3 function calls, it is possible to execute arbitrary code:
- Call “ItemHandler::getItem” to download an AppImage from any URL as type bin
- Call “ConfigHandler::getAppConfigInstallTypes” to leak the full bin directory path (by default in the home directory, thus dependent on the username)
- Call “SystemHandler::openUrl” with the AppImage path as argument (implements special handling for AppImage files to execute them instead of starting them with the default application)
WebSocket Connections
“Browsers do not implement the same-origin policy for WebSocket connections,” Bräunlein warned.
“Therefore, it’s important to validate the origin server-side or implement additional authentication over the WebSocket connection. With ocs-manager, this is not the case, which means that any website in any browser can initiate a connection to the WebSocket server, and ocs-manager will happily accept any commands sent.”
The researcher published a proof-of-concept exploit showing that the attack can be carried out by visiting a malicious website in any browser.
No Patches
Bräunlein revealed the 1st attempted to contact Pling in Feb., but after months of trying various avenues (including email to the “contact” address, support chats, phone calls to the organisation & its CEO, & the creation of a support forum post), he decided to publicly disclose the issues.
One of the marketplaces, KDE Discover, was immediately responsive however, & published a patch and advisory in Mar.
“App Marketplaces are at the intersection of 2 worlds: User-provided content, mostly presented to the user with web technology; & managing & installing native applications,” Bräunlein concluded.
Heavily Sandboxed
“While No. 1 is usually considered highly untrusted & heavily sandboxed, App Store integrations create a bridge to No. 2, an area that requires a high level of trust. In this environment, even relatively small vulnerabilities (e.g., a missing origin check) can lead to severe consequences (drive-by RCE from any browser with the vulnerable application running in background). Developers of such applications must put in a high level of scrutiny to ensure their security.”
He urged users of Pling-based marketplaces to avoid using the PlingStore applications, & to log out of their accounts for the affected websites until the issues have been fixed.
https://www.cybernewsgroup.co.uk/virtual-conference-july-2021/
