Vulnerability In KDE Archive Tool Could Allow Linux Account Takeovers

KDE Ark Archive Tool contains a path traversal vulnerability that could be exploited by potential hackers to overwrite files or execute remote code on a system.

Ark tool is a file archiver and compressor developed by KDE for Linux operating systems. Most Linux distros offer it as a KDE bundled software. It is an archiver App like WinZip or WinRAR for Windows. It supports various common archive and compression formats including zip, 7z, rar, lha and tar.

The bug first caught the attention of security researcher Dominik Penner and has been issued the unique identifier, CVE-2020-16116 with a high severity score.

The CVE-2020-16116 is basically a Path Traversal flaw. It exists due to input validation error when processing directory traversal sequences within the archive.

Firstly, a remote hacker can create a specially crafted archive. Secondly, to trick the victim into extracting files from it and overwrite arbitrary files on the system with privileges of the current user.

Above all, to exploit the bug, an attacker would simply have to lure the victim to open a maliciously crafted archive. Once opened, the included malware would automatically execute to perform the intended activities. This may range from installing cryptominers and trojans to ransomware attacks and backdoor implants.

Patch Released With Ark 20.08.0

KDE has patched Archive Tool vulnerability with the release of Ark 20.08.0 that prevents the loading of malicious archives. Whereas, they have proposed the following workaround as well.

Users should not use the โ€˜Extractโ€™ context menu from the Dolphin file manager. Before extracting a downloaded archive using the Ark GUI, users should inspect it to make sure it doesnโ€™t contain entries with โ€œ../โ€ in the file path.

Alternatively, you can apply patch to your existing KDE Ark tool instance by visiting this GitHub.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Think You're an Ubuntu Expert? Let's Find Out!

Put your knowledge to the test in our lightning-fast Ubuntu quiz!
Ten questions to challenge yourself to see if you're a Linux legend or just a penguin in the making.

1 / 10

Ubuntu is an ancient African word that means:

2 / 10

Who is the Ubuntu's founder?

3 / 10

What year was the first official Ubuntu release?

4 / 10

What does the Ubuntu logo symbolize?

5 / 10

What package format does Ubuntu use for installing software?

6 / 10

When are Ubuntu's LTS versions released?

7 / 10

What is Unity?

8 / 10

What are Ubuntu versions named after?

9 / 10

What's Ubuntu Core?

10 / 10

Which Ubuntu version is Snap introduced?

The average score is 69%