Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researcher Finds Vulnerability Impacting Multiple Linux Marketplaces

Linux marketplaces that are based on the Pling platform are impacted by a cross-site scripting (XSS) vulnerability and potentially exposed to supply chain attacks, according to German cybersecurity consultancy Positive Security.

Linux marketplaces that are based on the Pling platform are impacted by a cross-site scripting (XSS) vulnerability and potentially exposed to supply chain attacks, according to German cybersecurity consultancy Positive Security.

Pling allows for the creation of free and open-source software (FOSS) marketplaces that are used for the distribution of software, themes, and other content that might not be available through other distribution channels.

Positive Security co-founder Fabian Bräunlein discovered that all Pling-based marketplaces are impacted by a wormable XSS that potentially opens the door for supply chain attacks.

The XSS flaw, the researcher explains, could be used to modify listings or add new ones to the Pling store, in the context of other users. This could be abused in a supply chain attack in which the adversary uploads a backdoored version of an application and changes the metadata of the victim’s listings to include the malicious payload.

The issue was initially discovered in the KDE Discover marketplace, but also impacts Pling-based FOSS app stores such as appimagehub.com, store.kde.org, gnome-look.org, xfce-look.org, and even pling.com itself.

Additionally, the researcher discovered that the native PlingStore app, which is an Electron application, is affected by a remote code execution vulnerability that can be triggered from any browser. The app was designed to display websites and enable users to install software with a single click.

The PlingStore app includes a mechanism to run code on the OS level and that mechanism allows any website to run arbitrary code, the researcher explains.

The issue resides with a local WebSocket server (ocs-manager) that the PlingStore app launches when started, and which listens for commands from the Electron app to perform various actions. According to Bräunlein, an attacker can combine three function calls to execute arbitrary native code when triggering the aforementioned XSS within the app.

Advertisement. Scroll to continue reading.

“Browsers do not implement the Same-origin policy for WebSocket connections. Therefore, it’s important to validate the origin server-side or implement additional authentication over the WebSocket connection. With ocs-manager, this is not the case, which means that any website in any browser can initiate a connection to the WebSocket server, and ocs-manager will happily accept any commands sent,” the researcher notes.

As long as PlingStore runs in the background, the vulnerability can be triggered from any malicious website visited in the browser.

Bräunlein says he attempted to contact Pling to responsibly disclose the vulnerability, but received no response. However, he did manage to contact KDE Discover and Gnome Shell Extensions developers, which were quick to address the issue.

Related: Researcher Claims Apple Downplayed Severity of iCloud Account Takeover Vulnerability

Related: NTLM Relay Attack Abuses Windows RPC Protocol Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.