back to article Until last week, you could pwn KDE Linux desktop with a USB stick

A recently resolved flaw in the KDE Linux desktop environment meant that files held on a USB stick could be executed as soon as they were plugged into a vulnerable device. The security howler created a means to execute arbitrary code on KDE by simply naming a pendrive VFAT volume $() or similar, as explained in this advisory ( …

  1. Anonymous Coward

    Easy fix...

    ...disable autorun.inf

  2. Natalie Gritpants Silver badge

    I'm going to name all my USB sticks:

    `halt` from now on just in case any are stolen by a KDE fan

    1. David 132 Silver badge

      Re: I'm going to name all my USB sticks:

      Along the right lines, but insufficiently evil.

      Why not $(rm -rf /) ?

      1. Anonymous Coward
        Anonymous Coward

        Re: Why not $(rm -rf /) ?

        Because these days you are supposed to put some sort of cryptocoin miner in the disk label ... :-)

      2. storner

        Re: I'm going to name all my USB sticks:

        Because it won't work. You need "rm --no-preserve-root -rf /" if you really want that, which is longer than will fit in a VFAT volume label.

        1. Anonymous Coward
          Anonymous Coward

          Re: I'm going to name all my USB sticks:

          It’s good enough just to delete their home folder.

          After all. No one is going to be logged in as root and using KDE.....

          1. Anonymous Coward
            Anonymous Coward

            Re:logged in as root and using KDE.....

            Back in the day, sUSe used to have a lovely screen background for anyone logged on as root into a KDE desktop.

            Is it still around?

            1. Chemist

              Re: Re:logged in as root and using KDE.....

              "Back in the day, sUSe used to have a lovely screen background for anyone logged on as root into a KDE desktop.

              Is it still around?"

              Don't know - never log into the desktop as root ! No need !

              1. Anonymous Coward
                Anonymous Coward

                Re: Re:logged in as root and using KDE.....

                I think "no need, too dangerous" was the point the background/wallpaper was trying to make - a cartoon-style bomb, with the fuse lit. Or something liike that. Great for when senior management and/or politicians come wandering cluelessly by.

    2. Swarthy Silver badge

      Re: I'm going to name all my USB sticks:

      Oooh, how about `:(){ :|: & };:`

      No real damage, but that'll tech people to plug in random USB sticks.

  3. Christian Berger

    It's a problem with "Open Source" vs "Free Software"

    The Freedesktop people churn out "Open Source" software. It's available as source, but so incredibly complex that only they can maintain it. Since it's very fashionable to work for "Open Source" projects and they rarely deny people working on it, many beginners write code for them, resulting in even more code which only increases the dependence on some sort of "Open Source company" as well as the more or less occasional stupid bug.

    "Free Software" only is truely free when the software is simple enough to be understood by a single person or a very small group of them.

    1. wolfetone Silver badge

      Re: It's a problem with "Open Source" vs "Free Software"

      Have you any sort of idea as to why Linus Torvalds always goes mental when some clown submits daft code in to the Linux kernel?

      People are checking the code.

      1. Snorlax

        Re: It's a problem with "Open Source" vs "Free Software"

        Linus Torvalds always goes mental because Linus Torvalds *is* mental?

      2. Christian Berger

        Re: It's a problem with "Open Source" vs "Free Software"

        "Have you any sort of idea as to why Linus Torvalds always goes mental when some clown submits daft code in to the Linux kernel?"

        Yes, but this is KDE not the Linux Kernel.

    2. sisk

      Re: It's a problem with "Open Source" vs "Free Software"

      "Free Software" only is truely free when the software is simple enough to be understood by a single person or a very small group of them.

      Any software simple enough to be competently maintained by a single person is probably insufficiently complex to handle all the tasks handled by a modern desktop environment. Even Stallman himself would not apply such an incredibly limited definition to "free software" as that.

      Besides, understanding any open source project is simply a matter of time spent studying the code. There is no such thing as a project so complex that a competent programmer can't understand the code if (s)he spends enough time studying it.

      1. Pascal Monett Silver badge

        Absolutely agreed. Software is like the medical profession : beyond the common cold, you need a specialist to get a reliable diagnostic.

        Creating an OS is not making a fart app for a mobile phone. Even making games has become a very complex undertaking, what with the predictive network code, world mapping and multiplayer handling, not to mention graphics and object interaction (with or without physics involved). There is no way a single human being can assimilate the particularities of each domain in what is commonly called a triple-A title.

        You want code that a single person can understand ? Go for the 2D platformers in Early Access on Steam. That is likely to not be too complicated to understand because a lot of them are written by a small group of people. But if you get the code to Call of Duty, I'll wager you'll never get through it all.

        So don't knock Open Source on such arguments. That simply doesn't hold up to reality.

      2. Christian Berger

        Re: It's a problem with "Open Source" vs "Free Software"

        "Any software simple enough to be competently maintained by a single person is probably insufficiently complex to handle all the tasks handled by a modern desktop environment."

        Actually that's what people thought before UNIX, too. What's lacking is simply the right way to tackle the problem. Imagine instead of Wayland and X11 we would have chosen something simpler, like a virtual file system (Plan9 like) or perhaps a graphics and sound extension to the terminal.

        There are features you write explicitly, and there are features that get created by having some orthogonal features which implicitly create a whole new range of features.

  4. g00se

    It's bad enough auto-mounting by default, but running scripts/executables automatically too!? (if i've got what's actually happening right ...)

    This just adds to my general unease (i could just be being a paranoid old fart perhaps) that the standard of software engineering in the Linux world is slowly dropping

    1. John G Imrie

      It's not running a script

      It's parsing the file name in a context that allows it to be run in a shell

    2. Crazy Operations Guy

      Its not running scripts, just a basic injection attack. The script to auto-mount is taking the volume label concatenating it into a string, then running that string as a command in a shell. I presume its searching against a flat-file that maps the volume label to other parameters like mount point, permissions, etc. that get fed into the mount command.

      Since it is running arbitrary code, you -could- tell it to run a script, but it doesn't have to be.

      1. g00se

        Right, but i still don't get it. WTF would be notifier be interpreting a string aimed at (mainly, presumably) mount as a command?

        1. Anonymous Coward
          Anonymous Coward

          mount -L LABEL /mnt/point/

          if LABEL = $(touch b), the command being executed would be:

          mount -L $(touch b) /mnt/point/

          $(touch b) gets evaluated first (being in brackets), that creates a file 'b' and returns nothing, the command being executed then becomes: mount -L /mnt/point

          That should give you the idea. There is probably more to it, the mount command would fail if that were it, so they're probably passing another source param (likely the device) too.

        2. Crazy Operations Guy

          I imagine that it is searching a text file to see if it has seen that volume before so it can use user settings versus defaults. Probably so users can set permission-bit-masks, mount options, etc

          They author probably just took a script they already had, expecting that someone would replace it alter, but since it functioned correctly, no one bothered to look at the code to see what it was actually doing. Fairly common problem in under-resourced software projects: Someone sets up a script or something as a placeholder for the real code they intend to write; deadline approaches, so code is forced to be shipped without replacing the script; developer ends up working on bugs and other issues and either forgets about the script or just remains busy with fixing broken items versus correcting working code.

          1. FensMan

            Hmm. Is the volume label being passed to a shell for interpretation (hence allowing execution of the $(touch b), instead of just being passed as an argument to exec()? Why?

      2. PNGuinn

        And which bunch ...

        Remind me - which bunch of idiots invented this autorun malarky in the first place?

        1. Ken Hagan Gold badge

          Re: And which bunch ...

          His Holiness Steve Jobs, I believe, is the Original Sinner.

          However, a more pertinent question is why the sin has been copied by almost everyone despite it being a known-terrible idea.

        2. Anonymous Coward
          Anonymous Coward

          Re: And which bunch ...

          Hey just because you neighbour decided to screw hooker that has been waiting three weeks for the free clinic does not mean you have to do it to .

          Thats like blaming MS for KDE deciding to hide file extensions.

          1. g00se

            Re: And which bunch ...

            Thats like blaming MS for KDE deciding to hide file extensions.

            Pleeeeeeeease tell me that KDE (which i've never used, since it's too Windowsy and bloated) doesn't do that too!?

            1. joeaverage

              Re: And which bunch ...

              You can turn that off and on in Windows and KDE alike. Just use your favourite search engine and the answer will be there.

        3. trolleybus

          Re: And which bunch ...

          This isn't autorun, in the .inf sense. Just mounting a new volume when it sees one. Something that Burroughs computers were doing quite happily in the early 70s without magaging to run arbitrary code.

    3. Chemist

      "It's bad enough auto-mounting by default"

      Well it's just box clear/tick in System Settings to enable/disable automount. There are finer grained options as well if you do want to automount something.

      What I can't remember because I always have it turned off is what the default setting for a fresh install is.

  5. Anonymous Coward
    Anonymous Coward

    That's a problem with KDE

    It looks nice but quite a lot of things under the hood are giving off the the feel that they have been designed by a not-yet-fully-matured-and-skilled team.

    In particular, kmail spooked the hell out of me. Watch what happens when you blow away the akonadi database. kmail will start sending e-mail to whomever: - this being due to akondi rebuilding itself with completely random identifiers that are no longer in sync with kmail. Great stuff.

    1. Crazy Operations Guy

      Re: That's a problem with KDE

      From my experience, the KDE team is primarily one-off developers that aren't dedicated to the project itself, but are avid users of KDE, so they'll scribble up a code patch, submit it, and it ends up in the tree. Since their code works well enough, the core developers end up ignoring the edge-case bugs and instead focus on the highly-visible bugs or working on features.

      Not saying that it is only the KDE project that suffers from this, its becoming quite prevalent across pretty much all software projects, both Open and closed.

    2. I am the liquor

      Re: That's a problem with KDE

      Discover is another one that is, to quote an assessment I read on a forum, a dumpster fire of an application. It seems to get more crash-prone with every version increment.

  6. Chris Gray 1

    evil injection

    For web servers, one of the big security problems for quite a few years has been SQL injection attacks. We solved those quickly, right? Right? Anyone?

    So, for Unix-based boxes, script injection attacks will be solved just as quickly. Sigh.

    Both work the same way - stuff that should not be trusted is blindly stuffed into command strings, and the command strings are then parsed and run with whatever privileges they "need". Its just plain a bad idea.

    Do Windows servers have similar problems, or does Microsoft shipping huge binary blobs actually help with this?

  7. kain preacher

    Wait didn't we go over this with 98,XP. I could of sworn we did,

    1. Lysenko

      Linux runs on 2-3% of desktops and KDE on only a fraction of those. Windows is therefore more thoroughly tested and stuff like this gets found faster. Hating MSFT and evangelising FOSS can't change the maths.

      1. Pascal Monett Silver badge
        Thumb Down

        Um, looking at my Windows 7 install, that effing Autoplay is still there - even with all the options turned off.

        So no, stuff like this is not thoroughly tested just because MSFT.

        Generally, though, I have to agree that because Windows is still everywhere for the moment, whatever goes wrong on it is generally found pretty quickly. As for problems being corrected, that will depend on whether or not Microsoft decides to declare that it is a feature.

        1. kain preacher

          Auto play is not the same as auto run

        2. Lysenko

          So no, stuff like this is not thoroughly tested just because MSFT.

          True, it is more thoroughly tested because Windows runs on 88% of desktop/laptop PCs and is therefore the primary target for most security researchers and hackers. As I said, it's about the numbers, not the vendor or ideological purity.

          Personally, I find Linux far easier to compromise cf. Windows precisely because it is FOSS. I recently modified and rebuilt SSH to log the passwords attackers use against my servers. I could have made it do anything of course, including building in a hard-coded back door. Much harder to do that with a closed source OS. Now you, being intimately familiar with GNU/Linux source code, might notice that I had done that - but would your average user? I doubt it.

          autoplay isn't autorun btw. This attack couldn't work via Windows autoplay functions. If you know different, I'm sure the NSA will be in touch with a suitable cheque ;)

          1. ibmalone Silver badge

            You compiled your own software that you run and could have compromised it while doing so? I'm shocked!

            1. Lysenko

              You compiled your own software that you run and could have compromised it while doing so? I'm shocked!

              Exactly so, which is why FOSS "freedom" matters to people like me and is an irrelevance to everyone else (the vast majority).

      2. sisk

        Windows is therefore more thoroughly tested and stuff like this gets found faster.

        And that's why you can't infect Windows machines with malicious flash drives, right? I mean never mind that the malicious flash drive left lying around for a curious user to plug into their machines has been and remains one of the most easily exploited attack vectors for close to 20 years, it must not work because these sorts of vulnerabilities get found faster in Windows, right?

        Hating MSFT and evangelising FOSS can't change the maths.

        No, it can't. And the maths clearly show that hating on ANY modern OS on the grounds of security is silly. They can ALL be locked down tighter than the NSA's sphincter (and, also, any place that's serious about security would absolutely disable the ability for normal users to mount flash drives at all for the very reason I mentioned above).

        1. GerryMC

          "these sorts of vulnerabilities get found faster in Windows, right?"

          Yes, by the NSA

  8. sisk

    So this is yet another case of lazy or inexperienced programmers using system() or exec() or some similar function without dealing with special characters in the input first. These vulnerabilities aren't entirely unlike SQL injection vulnerabilities. It's an easy fix (just remove or escape the special characters before passing the string off to system(), as basic a concept as cleansing inputs), but the fact that the fix is needed at all makes me wonder what other massive security holes lie awaiting discovery in that particular code base.

    1. ibmalone Silver badge

      For system calls, exec passes the argument list directly, it's system that executes through the shell. But yes, going by other comments, essentially an injection/escaping attack, quite similar to "shellshock". I'd no idea stuff in KDE was doing system type calls, probably calls for a code review.

  9. handleoclast

    Is KDE still a thing?

    Many, many years ago I used KDE. I liked it. One day, after an upgrade, it started playing a little login jingle (just like Windows). The only way I could find to turn the jingle off (I didn't look very hard) was to switch to Gnome. Gnome looked a lot better than it had the last time I compared the two, so I stopped using KDE. I figured KDE had lost the plot.

    I tried KDE again a year or two back, just to see what it was like. It had gone for the "phone interface" style, with almost everything hidden away behind magical hot spots that you had to try to find. That lasted just long enough for me to find the magic logout hotspot. KDE had definitely lost the plot.

    Gnome also eventually lost the plot, but I find Mate to be an adequate replacement.

    What is wrong with these people?

    1. Citizen99

      Re: Is KDE still a thing?

      Have you tried Trinity (the fork of KDE 3.5) ? Preserves the 'traditional' setup, still with the nice utilities.

    2. ibmalone Silver badge

      Re: Is KDE still a thing?

      It was Gnome that went touch-style interface (maybe five years ago now), Plasma still looks like a traditional desktop. They did briefly try the 'activities' thing, which you could just ignore and seems to have gone now.

    3. nijam Silver badge

      Re: Is KDE still a thing?

      > What is wrong with these people?

      Chasing the fads that smartphones (and yes, Windows 8) conned people into thinking were trendy?

    4. joeaverage

      Re: Is KDE still a thing?

      I disagree completely. KDE is alot like Win7. Right-click menus. "Start button" with a menu. Taskbar with a systray.

      I run Mint Linux 18 KDE and its everything I want in an OS.

  10. jms222

    This is the problem. KDE, GNOME and friends change too often. Even with their annoyances the MS Windows and MacOS shells are useable and I won’t spend ages working out how to do something like say create a desktop shortcut. So I’d much rather keep UNIX family OSs (not just Linux) for servers where they rule and have something useable to live with.

    Should be obvious. If you want security remove or disable USB and that was the case before recent Intel AMT discoveries. If you want USB for keyboard and mouse GLUE THEM IN PLACE.

  11. petef

    Obligatory XKCD reference

    Exploits of a Mom

    1. Anonymous Coward
      Anonymous Coward

      Re: Obligatory XKCD reference

      That is hilarious! thanks :)

  12. sloshnmosh
    Thumb Up

    You had me at USB

    I'll say it again, I do love a good USB hack

  13. phuzz Silver badge

    Don't worry

    It's OK everyone. Both KDE users have patched now.

    1. ibmalone Silver badge

      Re: Don't worry

      Actually, I run two KDE machines. So there's probably just me.

      1. joeaverage

        Re: Don't worry

        I have two desktops, and a laptop running Mint Linux KDE. I have a several more Linux computers running various lightweight distros for older machines. I'm fixing them up to give away.

        At work I have about 50 computers running Mint Linux KDE (dual boot).

  14. Not That Andrew

    Unsurprisingly, this is a Plasma bug

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022