KDE Plasma closes leak that allows code execution via USB drive

Spread the love

The team behind KDE Plasma has patched a leak in its desktop environment that could allow an attacker with physical access to execute code on a system using a USB drive with a particular format and a special name.

The vulnerability occurs when a user mounts a USB drive via the so-called device notifier. That is a pop-up that appears when a removable device is connected. The notification lists a number of possible actions that the user can perform. In case the usb drive is formatted with vfat and the volume label contains quotes or $() symbols, the name is considered a shell command.

That means that the name $(touch b) creates a file called ‘b’ for example in the home folder. This can be exploited by an attacker with physical access to a system to execute code of their own choosing.

According to the security warning, the vulnerability CVE-2018-6791 affects software versions earlier than 5.12.0 of KDE Plasma. A patch is therefore available in versions 5.12.0 and 5.8.9 of the software. If users are unable to run the patches, a workaround is available by mounting removable devices through Dolphin.

You might also like
Exit mobile version