- The security researcher Fabian Bräunlein from Positive Security has discovered a previously unfixed cross-site scripting (XSS) vulnerability in Pling-based Linux app stores, which is also said to affect the native Pling-Store application. The vulnerability could be misused to manipulate listings, i.e. apps available for download, in affected stores and, for example, add malicious code to them. According to the researcher, the Pling Store app can also be used to execute any program code remotely (Remote Code Execution, RCE) on Linux systems under certain conditions.
The Pling platform is part of the opendesktop.org portal from hive 01 GmbH. It serves as an alternative download source for themes, icons, desktop backgrounds, software and more for Linux. Several well-known app stores, such as the KDE Store on. Positive Security mentions other examples appimagehub.com, gnome-look.org and xfce-look.org. The application based on the Electron framework Pling-Store (also “PlingStore”, formerly OCS-Store), on the other hand, is intended to facilitate the installation and management of Pling content and is advertised for this purpose by Pling-based app stores.
“Wormable” XSS via input fields for listings
In this context, Bräunlein also points out that the Pling-based stores would share user accounts and session data. However, he has not published proof of concept code for the worm scenario.
Pling store app also vulnerable beyond the XSS gap
According to Bräunlein, the XSS attacks also work when calling up prepared listings from the Pling Store app. In addition, remote code execution is even possible via XSS via the app. The reason for this are further security flaws in the app, more precisely: in the component ocs-manager as a local websocket server. According to the researcher, the lack of validation and authentication mechanisms ensures that any website can initiate a connection to the Websocket server from any browser and that ocs-manager accepts any transmitted commands. In this way, any AppImage files could be downloaded and executed from the surfaced, prepared website without further user interaction, as long as the Pling Store app is running in the background.
Proof-of-Concept-Code demonstrates this fact; only the installation of a required port brute forcing mechanism has been omitted by Bräunlein. “The WebSocket server (ocs-manager), which is started when PlingStore is launched and accepts commands from any website, looks for a free, local port when it starts. This is hardcoded in the PoC script (…), but can can easily be guessed by programmatic trial and error “, the researcher explained to heise Security.
The gap still exists – no reaction from the developers
According to its own information, Bräunlein has tried several times since the end of February 2021 to contact the Pling developers via email, telephone and forum posts. Until now, however, they have neither responded nor eliminated the security gap in their products. yesterday, heise Security also checked with hive 01 GmbH by email yesterday, but has not yet received an answer.
Since the XSS and RCE dangers still exist, Bräunlein advises in the blog entry not to use the Pling Store app for the time being or, at best, to completely remove the vulnerable AppImage from the system. Although exploits in the wild have not yet been observed and publicly available code for a possible XSS worm has not emerged, the researcher also advises you to be aware that basically every listing in Pling-based Linux app stores hijack accounts of logged-in users and hijack malicious code could deliver. It is best to temporarily log out and not use the stores.
Incidentally, the Gnome team, the little brown one, was more responsive than hive 01 XSS vulnerability also described in the blog entry on the Gnome Extensions website (extensions.gnome.org). This was eliminated within 24 hours and has not posed a threat since the end of February.