Bug 389815

Summary: Possibility of code execution when opening volume which label contains `` or $() from notifications panel
Product: [Plasma] plasmashell Reporter: Krzysztof Sielużycki <ksieluzycki>
Component: Disks & DevicesAssignee: Plasma Bugs List <plasma-bugs>
Status: RESOLVED FIXED    
Severity: critical CC: bhush94, kde, nate, plasma-bugs
Priority: NOR    
Version: 5.10.5   
Target Milestone: 1.0   
Platform: Debian testing   
OS: Linux   
Latest Commit: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 Version Fixed In:
Attachments: The notification panel where I open the volume
The error when volume is named `id`

Description Krzysztof Sielużycki 2018-02-03 07:00:22 UTC 
Hello,

When opening volume which label contains `` or $() from notifictions panel the code gets executed. For example, opening a volume named `touch blabla` creates a file  named blabla in user home folder. 
This happens only when opening volume from notification bar (see attachment), not when opening it from Dolphin directly.

Regards,
Krzysztof
Comment 1 David Edmundson 2018-02-04 00:11:12 UTC 
>see attachment

What attachment?
Comment 2 David Edmundson 2018-02-04 00:14:23 UTC 
Also, please confirm which solid backend you are using.

solid-hardware5 list

should tell you
Comment 3 Krzysztof Sielużycki 2018-02-04 07:43:01 UTC 
Created attachment 110327 [details]
The notification panel where I open the volume
Comment 4 Krzysztof Sielużycki 2018-02-04 07:45:30 UTC 
Created attachment 110328 [details]
The error when volume is named `id`

Title: Error - KIO Client
Text: Cannot execute command. File or directory /media/hex/uid=1000 (..) does not exist.
Comment 5 Krzysztof Sielużycki 2018-02-04 07:48:55 UTC 
Sorry I forgot about attachment yesterday.

solid-hardware5 list details returns:

udi = '/org/freedesktop/UDisks2/block_devices/sdb1'
  parent = '/org/freedesktop/UDisks2/drives/Generic_STORAGE_DEVICE_Generic_STORAGE_DEVICE_0_3a0'  (string)
  vendor = 'Generic'  (string)
  product = 'STORAGE DEVICE'  (string)
  description = '`touch foo`'  (string)
  Block.major = 0  (0x0)  (int)
  Block.minor = 2065  (0x811)  (int)
  Block.device = '/dev/sdb1'  (string)
  StorageAccess.accessible = true  (bool)
  StorageAccess.filePath = '/media/hex/`touch foo`'  (string)
  StorageAccess.ignored = false  (bool)
  StorageVolume.ignored = false  (bool)
  StorageVolume.usage = 'FileSystem'  (0x2)  (enum)
  StorageVolume.fsType = 'ntfs'  (string)
  StorageVolume.label = '`touch foo`'  (string)
  StorageVolume.uuid = '04dcc0b2dcc09ef4'  (string)
  StorageVolume.size = 64155025408  (0xeeff00000)  (qulonglong)



Regards,
Krzysztof
Comment 6 Marco Martin 2018-02-05 12:37:43 UTC 
Git commit f32002ce50edc3891f1fa41173132c820b917d57 by Marco Martin.
Committed on 05/02/2018 at 12:35.
Pushed by mart into branch 'Plasma/5.12'.

Make sure device paths are quoted

in the case a vfat removable device has $() or `` in its label,
such as $(touch foo) the quoted command may get executed,
leaving an attack vector. Use KMacroExpander::expandMacrosShellQuote
to make sure everything is quoted and not interpreted as a command

M  +1    -1    soliduiserver/deviceserviceaction.cpp

https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57
Comment 7 Marco Martin 2018-02-05 12:37:43 UTC 
Git commit 9db872df82c258315c6ebad800af59e81ffb9212 by Marco Martin.
Committed on 05/02/2018 at 12:12.
Pushed by mart into branch 'Plasma/5.8'.

Make sure device paths are quoted

in the case a vfat removable device has $() or `` in its label,
such as $(touch foo) the quoted command may get executed,
leaving an attack vector. Use KMacroExpander::expandMacrosShellQuote
to make sure everything is quoted and not interpreted as a command

M  +1    -1    soliduiserver/deviceserviceaction.cpp

https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212