CVE-2020-16116 path traversal vulnerability in KDE Ark Tool allows hackers to remotely execute arbitrary code or implant malware
The popular KDE Ark Archive Tool contains a path traversal vulnerability that could be exploited by potential hackers to overwrite files or execute remote code on a system. It can also be used to implant malware/ransomware on systems using the KDE Ark Tool versions 20.03.80, 20.03.90, 20.04.0, 20.04.1, 20.04.2, 20.04.3, and 20.07.80.
Ark tool is a file archiver and compressor developed by KDE for Linux operating systems and most Linux distros offer it as a KDE bundled software. It is an archiver App like WinZip or WinRAR for Windows and supports various common archive and compression formats including zip, 7z, rar, lha and tar.
The vulnerability was discovered by security researcher Dominik Penner of Hackers for Change and has been issued the unique identifier, CVE-2020-16116 with a high severity score.
The CVE-2020-16116 is basically a Path Traversal flaw and exists due to input validation error when processing directory traversal sequences within the archive. A remote hacker can create a specially crafted archive, trick the victim into extracting files from it and overwrite arbitrary files on the system with privileges of the current user.
As soon as a victim opens a malicious archive, the hacker can auto-run malicious encryption programs and install cryptocurrency miners/malware/ransomware or backdoors. The KDE desktop environment allows users to automatically launch applications when logged into the operating system. Autostart is configured by creating special desktop files in the ~ /.config/autostart folder that specify which program to run at login.
Penner found that the vulnerable versions of ARK archive utility were unable to remove directory traversals when unpacking the archive. To exploit this vulnerability, Penner developed a Proof of Concept (PoC) exploit code that is available here (ZIP file).
The PoC code exploits the CVE-2020-16116 vulnerability to automatically create KDE autorun configuration files by extracting a specially crafted archive in the current folder. Once autorun is set, the next time the computer is restarted and the hacker logs on to the account, the specified program will be executed, leading to remote code execution.
Penner reported this vulnerability to the KDE security team, and the issue was fixed in Ark 20.08.0 on 30th July 2020.
Workaround for the CVE-2020-16116 Ark Tool patch traversal flaw:
The workaround suggested by the KDE Ark tool dev team suggests that Ark users should not use the ‘Extract’ context menu from the Dolphin file manager. And before extracting a downloaded archive using the Ark GUI, users should inspect it to make sure it doesn’t contain entries with “../” in the file path.
Alternatively, they can apply the patch to their existing KDE Ark tool instance by visiting this GitHub. Or they can update their KDE Ark to version 20.08.0 though the stable version is yet to be released.