KDE Konsole Remote Code Execution Vulnerability via URL Scheme Handling
Vulnerability
A remote code execution vulnerability exists in KDE Konsole versions prior to 25.04.2. The issue arises when Konsole is invoked with certain URL schemes (ssh://, telnet://, or rlogin://) and the corresponding binary is unavailable. In such cases, Konsole defaults to using /bin/bash to execute the provided arguments, which can be exploited to run arbitrary code.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the affected system.
Reproduction
The vulnerability can be reproduced by loading a website in a browser that supports the execution of URL schemes. The site must include a script that downloads a file containing a command (such as a bash script) and then redirects to a telnet URL pointing to that file. If Konsole is set to handle the telnet URL but the telnet binary is not installed, Konsole will execute the file using bash, thereby executing the command.
Remediation
Users can upgrade to KDE Konsole version 25.04.2 or later, or for Debian users, upgrade to version 4:20.12.3-1+deb11u1.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.