Shulou(Shulou.com)06/01 Report--

Author: HACHp1@ knows that Chuangyu 404 laboratory

Date: 2019-08-08

Original link: https://paper.seebug.org/1006/

Brief introduction of vulnerabilities

KDE Frameworks is a set of libraries and software frameworks written by the KDE community, the foundation of KDE Plasma 5 and KDE Applications 5, and released under the GNU General Public license. A number of independent frameworks provide a variety of commonly used functions, including hardware integration, file format support, controls, drawing functions, spell checking and so on. The KDE framework is currently used by several Linux distributions, including Kubuntu, OpenMandriva, openSUSE, and OpenMandriva.

Dominik Penner (@ zer0pwn) discovered KDE framework version desktopGroup.readEntry ("Icon", QString ()) on July 28th, 2019;}

Follow up and find that KConfigPrivate::expandString (aValue) is called:

Kconfiggroup.cpp:

QString KConfigGroup::readEntry (const char * key, const QString & aDefault) const {Q_ASSERT_X (isValid (), "KConfigGroup::readEntry", "accessing an invalid group"); bool expand = false; / / read value from the entry map QString aValue = config ()-> d_func ()-> lookupData (d-> fullName (), key, KEntryMap::SearchLocalized, & expand); if (aValue.isNull ()) {aValue = aDefault } if (expand) {return KConfigPrivate::expandString (aValue);} return aValue;}

To follow up, combined with the previous interpretation of the KDE official document, here is the parsing process of the dynamic command. The program intercepts the part between the first occurrence of $(and the first occurrence) in the string as a command, and then calls popen to execute:

Kconfig.cpp

QString KConfigPrivate::expandString (const QString & value) {QString aValue = value; / / check for environment variables and make necessary translations int nDollarPos = aValue.indexOf (QLatin1Char ('$')); while (nDollarPos! =-1 & & nDollarPos + 1 < aValue.length ()) {/ / there is at least one $if (aValue [nDollarPos + 1] = = QLatin1Char (') {int nEndPos = nDollarPos + 1) / / the next character is not $while ((nEndPos

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.