Linux marketplaces that are based on the Pling platform are impacted by a cross-site scripting (XSS) vulnerability and potentially exposed to supply chain attacks, according to German cybersecurity consultancy Positive Security.
Pling allows for the creation of free and open-source software (FOSS) marketplaces that are used for the distribution of software, themes, and other content that might not be available through other distribution channels.
Positive Security co-founder Fabian Bräunlein discovered that all Pling-based marketplaces are impacted by a wormable XSS that potentially opens the door for supply chain attacks.
The XSS flaw, the researcher explains, could be used to modify listings or add new ones to the Pling store, in the context of other users. This could be abused in a supply chain attack in which the adversary uploads a backdoored version of an application and changes the metadata of the victim’s listings to include the malicious payload.
The issue was initially discovered in the KDE Discover marketplace, but also impacts Pling-based FOSS app stores such as appimagehub.com, store.kde.org, gnome-look.org, xfce-look.org, and even pling.com itself.
Additionally, the researcher discovered that the native PlingStore app, which is an Electron application, is affected by a remote code execution vulnerability that can be triggered from any browser. The app was designed to display websites and enable users to install software with a single click.
The PlingStore app includes a mechanism to run code on the OS level and that mechanism allows any website to run arbitrary code, the researcher explains.
The issue resides with a local WebSocket server (ocs-manager) that the PlingStore app launches when started, and which listens for commands from the Electron app to perform various actions. According to Bräunlein, an attacker can combine three function calls to execute arbitrary native code when triggering the aforementioned XSS within the app.
“Browsers do not implement the Same-origin policy for WebSocket connections. Therefore, it’s important to validate the origin server-side or implement additional authentication over the WebSocket connection. With ocs-manager, this is not the case, which means that any website in any browser can initiate a connection to the WebSocket server, and ocs-manager will happily accept any commands sent,” the researcher notes.
As long as PlingStore runs in the background, the vulnerability can be triggered from any malicious website visited in the browser.
Bräunlein says he attempted to contact Pling to responsibly disclose the vulnerability, but received no response. However, he did manage to contact KDE Discover and Gnome Shell Extensions developers, which were quick to address the issue.
Related: Researcher Claims Apple Downplayed Severity of iCloud Account Takeover Vulnerability
Related: NTLM Relay Attack Abuses Windows RPC Protocol Vulnerability