- Positive Security security researcher Fabian Bräunlein discovered an unpatched cross-site scripting (XSS) vulnerability in Pling-based Linux app stores, which would also affect the native Pling-Store app. The vulnerability could be misused to manipulate lists, i.e. applications available for download, in affected stores and, for example, add malicious code to them. According to the researcher, the Pling Store app can also be used to execute any remote program code (Remote Code Execution, RCE) on Linux systems under certain conditions.
The Pling platform is part of the opendesktop.org portal of hive 01 GmbH. It serves as an alternative download source for themes, icons, wallpapers, software and more for Linux. Several well-known app stores, such as the KDE Shop to. Positive Security mentions other examples appimagehub.com, gnome-look.org and xfce-look.org. The application based on the Electron framework Pling-Store (also “PlingStore”, formerly OCS-Store), on the other hand, is intended to facilitate the installation and management of Pling content and is advertised for this purpose by the Pling-based app stores.
XSS “Wormable” via input fields for announcements
In this context, Bräunlein also points out that Pling-based stores would share user accounts and session data. However, he has not released any proof of concept code for the worm scenario.
The Pling Store app is also vulnerable beyond the XSS gap
According to Bräunlein, XSS attacks also work when calling lists prepared from the Pling Store app. In addition, remote code execution is even possible via XSS through the app. The reason is other security vulnerabilities in the application, more precisely: in the component ocs-manager as a local websocket server. According to the researcher, the lack of validation and authentication mechanisms ensures that any website can initiate a connection to the Websocket server from any browser and that ocs-manager accepts all transmitted commands. This way, all AppImage files can be downloaded and run from the prepared and highlighted website without further user interaction, as long as the Pling Store app is running in the background.
Proof of concept code demonstrate this fact; only the installation of a required hard port-forcing mechanism was omitted by Bräunlein. “The WebSocket server (ocs-manager), which is started when PlingStore starts up and accepts commands from any website, looks for a free local port on startup. This is hard-coded into the PoC script (…), but can easily be guessed by programmatic trial and error, ”the researcher explained to heise Security.
The gap still exists – no reaction from the developers
According to his own information, Bräunlein has made several attempts since the end of February 2021 to contact the developers of Pling via email, phone and forum posts. So far, however, they have neither responded nor addressed the security flaw in their products. yesterday heise Security also checked with hive 01 GmbH via email yesterday, but has not yet received a response.
Since the XSS and RCE dangers still exist, Bräunlein advises in the blog entry not to use the Pling Store app yet or, at best, to completely remove the vulnerable AppImage from the system. While exploits in the wild have yet to be observed, and publicly available code for a possible XSS worm has yet to emerge, the researcher also advises you to be aware that virtually all app store listings Linux-based Pling hijack logged-in user accounts and hijack malicious code could deliver. It is better to log out temporarily and not to use the stores.
By the way, the Gnome team, the little brunette, was more responsive than the hive 01 XSS vulnerability also described in the blog entry on the Gnome Extensions website (extensions.gnome.org). This was eliminated within 24 hours and has not posed a threat since the end of February.
Disclaimer: This article is generated from the feed and is not edited by our team.