The disclosure process did not run smoothly – indeed, Bräunlein describes it as “surprising and disappointing”.
#PLING STORE INSTALL#
“As this component is also used to install applications, some of the commands allow downloading and executing binary files.” Timeline There is no check whether the commands actually come from the Electron app, so any website can send such commands by initiating a WebSocket connection,” he says. “During the start, the PlingStore Electron app also launches a component which listens on a local socket for commands. Meanwhile, Bräunlein found, the native PlingStore application is affected by an RCE vulnerability that can be triggered from any website while the app is running in the background. “The stored XSS is triggered simply when someone visits the listing – no user interaction is required.” RCE exploit Bypassing any protection or filtering was trivial,” Bräunlein tells The Daily Swig.
#PLING STORE SOFTWARE#
This, he says, would allow for a supply chain attack whereby a JavaScript payload uploads a backdoored, software version that changes the metadata of the victim’s listings to include the malicious payload. Read more of the latest Linux security news and analysis The field, he says, “looked like XSS by design”.Īdding an iframe and then a malicious JavaScript payload in a separate line created a stored XSS “that could be used to modify active listings, or post new listings on the Pling store in the context of other users, resulting in a wormable XSS”.
Recounting how he discovered the flaws, Fabian Bräunlein, security researcher and managing director at Positive Security, says that while testing the KDE Discover app store’s Uniform Resource Identifier (URI) handling, he stumbled across a field allowing users to embed media in a listing. Pling-Store is an installer and content management app for OCS-compatible websites that allows the installation of desktop and icon themes, wallpapers, and mouse cursors within desktop environments such as KDE Plasma, Gnome, and XFCE. Having failed to elicit a response from the project maintainers, security researcher from Berlin-based infosec firm Positive Security disclosed the flaws in a bid to warn users of the threat.Īffected Pling-based app stores include, ,, , and.
#PLING STORE CODE#
Developers of such applications must put in a high level of scrutiny to ensure their security.Security researcher warns against running PlingStore Electron or visiting affected websitesĪ pair of serious zero-day vulnerabilities in Opendesktop’s Pling could result in drive-by remote code execution (RCE) and supply chain attacks against Linux marketplaces based on the platform. a missing origin check) can lead to severe consequences (drive-by RCE from any browser with the vulnerable application running in background). “In this environment, even relatively small vulnerabilities (e.g. “ demonstrate the additional risk associated with such marketplaces,” Bräunlein said. The report comes less than a month after severe security weaknesses were uncovered in several popular Visual Studio Code extensions that could enable attackers to compromise local machines as well as build and deployment systems through a developer’s integrated development environment, ultimately paving the way for supply-chain attacks. In light of the fact that the RCE flaw associated with the PlingStore remains unaddressed as yet, it’s recommended not to run the Electron application until a fix is in place. 24, with KDE Project and GNOME Security issuing patches for the issues following disclosure. The Berlin-based cybersecurity firm noted that the flaws were reported to the respective project maintainers on Feb. What’s more, a similar XSS flaw uncovered in the GNOME Shell Extensions marketplace could be leveraged to target the victim’s computer by issuing malicious commands to the Gnome Shell Integration browser extension and even backdoor published extensions.
0 kommentar(er)
