![]() yesterday, heise Security also checked with hive 01 GmbH by email yesterday, but has not yet received an answer. Until now, however, they have neither responded nor eliminated the security gap in their products. The gap still exists – no reaction from the developersĪccording to its own information, Bräunlein has tried several times since the end of February 2021 to contact the Pling developers via email, telephone and forum posts. #Pling store trial#This is hardcoded in the PoC script (…), but can can easily be guessed by programmatic trial and error “, the researcher explained to heise Security. “The WebSocket server (ocs-manager), which is started when PlingStore is launched and accepts commands from any website, looks for a free, local port when it starts. Proof-of-Concept-Code demonstrates this fact only the installation of a required port brute forcing mechanism has been omitted by Bräunlein. ![]() In this way, any AppImage files could be downloaded and executed from the surfaced, prepared website without further user interaction, as long as the Pling Store app is running in the background. According to the researcher, the lack of validation and authentication mechanisms ensures that any website can initiate a connection to the Websocket server from any browser and that ocs-manager accepts any transmitted commands. The reason for this are further security flaws in the app, more precisely: in the component ocs-manager as a local websocket server. #Pling store code#In addition, remote code execution is even possible via XSS via the app. Pling store app also vulnerable beyond the XSS gapĪccording to Bräunlein, the XSS attacks also work when calling up prepared listings from the Pling Store app. However, he has not published proof of concept code for the worm scenario. In this context, Bräunlein also points out that the Pling-based stores would share user accounts and session data. He could replace the third-party app itself with an almost identical copy with a built-in backdoor. He then writes his own code in the “HTML or Embed media code” field of the third-party listings in order to be able to distribute himself from there. If this person is a developer, the worm can access their listings in the next step. The worm includes code that, as a first step, enables it to hijack the session of the person calling the listing. An attack scenario in which listings of any developer could be contaminated with malicious code would in theory look as follows: The attacker initially creates his own app entry and “hides” his JavaScript payload, an XSS worm, in the one already mentioned Listing input field. The upper field allows adding (malicious) JavaScript code.īräunlein emphasizes in the blog post that the XSS gap is theoretically “wormable”. The application based on the Electron framework Pling-Store (also “PlingStore”, formerly OCS-Store), on the other hand, is intended to facilitate the installation and management of Pling content and is advertised for this purpose by Pling-based app stores. ![]() Positive Security mentions other examples, and. Several well-known app stores, such as the KDE Store on. #Pling store software#It serves as an alternative download source for themes, icons, desktop backgrounds, software and more for Linux. The Pling platform is part of the portal from hive 01 GmbH. According to the researcher, the Pling Store app can also be used to execute any program code remotely (Remote Code Execution, RCE) on Linux systems under certain conditions. apps available for download, in affected stores and, for example, add malicious code to them. The vulnerability could be misused to manipulate listings, i.e. The security researcher Fabian Bräunlein from Positive Security has discovered a previously unfixed cross-site scripting (XSS) vulnerability in Pling-based Linux app stores, which is also said to affect the native Pling-Store application. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |