Dominik Penner and the KDE project issued a warning about a vulnerability reaction in Ark file manager (developed by the KDE project) in which the software does not always unzip the files where it should.
Penner reported this vulnerability to the KDE security team on July 20, 2020, and the bug was quickly fixed in Ark 20.08.0.
And, when opening a specially crafted file in the application, the vulnerability allows you to overwrite files outside the directory specified to open the file.
Because ARK is standard in the KDE environment and is used in almost all Linux distributions and environment KDE allows users to start applications automatically when a user logs in.
These automatic starts are configured by creating .desktop files Specials in the ~ / .config / autostart folder that specify which program to run at login.
The problem also manifests itself when opening files in the file manager Dolphin (Extract item in the context menu), which uses the Ark functionality to work with files. The vulnerability is reminiscent of the long-standing problem with Zip Slip.
To take advantage of the error, an attacker would simply have to lure the victim into opening a created file for malicious purposes. Once opened, the bundled malware would run automatically to carry out the planned activities. This can range from the installation of crypto miners and Trojans to ransomware attacks and backdoor implants.
To demonstrate this, Penner developed a PoC code to exploit the vulnerability which automatically creates KDE autorun configuration files by extracting a specially crafted file into the current folder. Once autorun is configured, the next time the computer is restarted and the user logs into the account, the program will run specified, which will lead to remote code execution.
This can, According to a warning email on the KDE-Announce mailing list in Ark up to version 20.04.3, it now demonstratesr be a security issue. The manipulated files can unzip their files anywhere in the home directory.
CVE-2020-16116 is a so-called path traversal attack. According to the advisory, attackers could manipulate path information in malicious files in such a way that the files they contain end up anywhere in the user's home directory after unzipping (this is where user interaction is required).
An attacker can change the ".bashrc" or store any script in "~ / .config / autostart" to organize your code and run it with the privileges of the current user.
Exploiting the vulnerability is equivalent to adding paths containing »../» characters to the file, during the processing of which Ark can go beyond the base directory.
Upon discovery of the vulnerability by the investigator, KDE released the patch for the tool.
According to the KDE advisory, the vulnerability, CVE-2020-16116, achieved a significant severity rating. KDE fixed the bug with the release of Ark 20.08.0 that prevents malicious file uploads considering that, also have proposed the following solution.
So KDE users should install updates or patch down a previous version with a file that fixes the vulnerability.
Although the recommendation is also made to verify each file before decompressing it. If there is an entry in the file that refers to a top-level directory (for example, “../”), care must be taken.
For those who are interested in knowing the structure of the type of files that can take advantage of this vulnerability. They can test using a sample file malicious at the link below.
Penner found that the ARK archive utility does not remove cross characters from the path when unzipping. This bug allowed files to be created that could extract files anywhere a user has access to.
Finally, if you want to know more about it, you can check the details in the following link