Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researcher Finds Vulnerability Impacting Multiple Linux Marketplaces

Linux marketplaces that are based on the Pling platform are impacted by a cross-site scripting (XSS) vulnerability and potentially exposed to supply chain attacks, according to German cybersecurity consultancy Positive Security.

Linux marketplaces that are based on the Pling platform are impacted by a cross-site scripting (XSS) vulnerability and potentially exposed to supply chain attacks, according to German cybersecurity consultancy Positive Security.

Pling allows for the creation of free and open-source software (FOSS) marketplaces that are used for the distribution of software, themes, and other content that might not be available through other distribution channels.

Positive Security co-founder Fabian Bräunlein discovered that all Pling-based marketplaces are impacted by a wormable XSS that potentially opens the door for supply chain attacks.

The XSS flaw, the researcher explains, could be used to modify listings or add new ones to the Pling store, in the context of other users. This could be abused in a supply chain attack in which the adversary uploads a backdoored version of an application and changes the metadata of the victim’s listings to include the malicious payload.

The issue was initially discovered in the KDE Discover marketplace, but also impacts Pling-based FOSS app stores such as appimagehub.com, store.kde.org, gnome-look.org, xfce-look.org, and even pling.com itself.

Additionally, the researcher discovered that the native PlingStore app, which is an Electron application, is affected by a remote code execution vulnerability that can be triggered from any browser. The app was designed to display websites and enable users to install software with a single click.

The PlingStore app includes a mechanism to run code on the OS level and that mechanism allows any website to run arbitrary code, the researcher explains.

The issue resides with a local WebSocket server (ocs-manager) that the PlingStore app launches when started, and which listens for commands from the Electron app to perform various actions. According to Bräunlein, an attacker can combine three function calls to execute arbitrary native code when triggering the aforementioned XSS within the app.

Advertisement. Scroll to continue reading.

“Browsers do not implement the Same-origin policy for WebSocket connections. Therefore, it’s important to validate the origin server-side or implement additional authentication over the WebSocket connection. With ocs-manager, this is not the case, which means that any website in any browser can initiate a connection to the WebSocket server, and ocs-manager will happily accept any commands sent,” the researcher notes.

As long as PlingStore runs in the background, the vulnerability can be triggered from any malicious website visited in the browser.

Bräunlein says he attempted to contact Pling to responsibly disclose the vulnerability, but received no response. However, he did manage to contact KDE Discover and Gnome Shell Extensions developers, which were quick to address the issue.

Related: Researcher Claims Apple Downplayed Severity of iCloud Account Takeover Vulnerability

Related: NTLM Relay Attack Abuses Windows RPC Protocol Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Security awareness training firm KnowBe4 has named Bryan Palma as president and CEO effective May 5.

Threat intelligence firm Team Cymru has appointed Joe Sander as its Chief Executive Officer.

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.