Marketplace platform has critical vulnerabilities • The Register
A Berlin startup has disclosed a remote-code-execution (RCE) vulnerability and a wormable cross-site-scripting (XSS) flaw in Pling, which is used by various Linux desktop theme marketplaces.
Positive Security, which found the holes and is not to be confused with Russia’s Positive Technologies, said the bugs are still present in the Pling code and its maintainers have not responded to vulnerability reports.
Pling presents itself as a marketplace for creative folk to upload Linux desktop themes and graphics, among other things, in the hope of making a few quid from supporters. It comes in two parts: code needed to run your own bling bazaar, and an Electron-based app users can install to manage their themes from a Pling souk. The web code has the XSS in it, and the client has the XSS and an RCE. Pling powers a bunch of sites, from pling.com and store.kde.org to gnome-look.org and xfce-look.org.
The upshot is that miscreants can exploit the XSS to upload and modify resources as other users on marketplaces, and the RCE can be abused by webpages and marketplaces to execute malicious code on a victim’s computer.
“A wormable XSS with potential for supply chain attacks on Pling-based marketplaces, and a drive-by RCE affecting users of the PlingStore application are still exploitable,” wrote Positive’s Fabian Bräunlein on Tuesday.
Detailing how one of the flaws looked like “XSS by design,” Bräunlein said he stumbled across it while testing KDE Discover’s handling of arbitrary URIs. KDE Discover, he explained, is a typical Linux desktop bling marketplace based on the Pling platform.
Invoking the vuln was straightforward: Bräunlein navigated to KDE Discover’s upload page for new creations, and pasted a JavaScript-based XSS payload into one of its fields, wrapped inside an iframe.
“This stored XSS could be used to modify active listings, or post new listings on the Pling store in the context of other users, resulting in a wormable XSS,” he wrote. While KDE patched Discover in March following Bräunlein’s findings, Pling was less proactive.
RCE-hunting
Following on from that discovery, Bräunlein realized the PlingStore marketplace application was also vulnerable to the XSS – “and from there, can likely be escalated to RCE when combined with an Electron sandbox bypass.”
However, a sandbox bypass wasn’t needed. When run, the app creates a local WebSocket server that is insecure. An XSS payload delivered from a theme marketplace, or any webpage opened in a browser, can connect to this local server, and use it to tell the software to fetch and run arbitrary malicious code. That means accessing a booby-trapped marketplace listing in the app, or surfing to a bad website with PlingStore running in the background, can lead to malware running on your Linux PC via the Pling application, according to Positive.
“When the XSS is triggered inside the Electron app, the payload can establish a connection to the local WebSocket server and send messages to execute arbitrary native code,” wrote Bräunlein. And as for the webpage-delivered RCE, “exploitation is triggered by visiting a malicious website in any browser, while PlingStore is running in the background.”
Pling’s anonymous maintainers, who do not identify themselves on either Pling.com or sister site opendesktop.org, did not respond to an email seeking comment. Bräunlein said he first tried tipping off the programmers in February, and again and again thereafter, and nothing was done.
While Electron is quite useful for making cross-platform apps out of JavaScript, HTML, and CSS, it does need to be secured requiring developers who know what they’re doing. “My fundamental complaint with Electron is that relatively basic usage still demands that non-security devs understand the full security properties of their system and scope broker usage appropriately,” said an engineering director for Google Chrome in 2020 after an RCE vulnerability in Electron-based desktop Slack app came to light. ®