Member of the Kernal community revealed an unusually careless attitude to safety in the distribution Linuxfx , offering the KDE user environment, stylized under the Windows 11 interface. According to the data from the project website, more than a million users use the distribution, and about 15 thousand downloads are recorded this week. The distribution offers activation of additional paid capabilities, which is carried out through the introduction of a license key in a special graphic application.
A study of the license activation application (/USR/Bin/Windowsfx-Register) showed that it includes sewn login and password for accessing the external Mysql, which adds data about the new user. At the same time, the accounted data used to get full access to the database, including the “Machines” table, which reflects information about all distribution installations, including the IP addresses of users. The contents of the FXKEYS table with licensed keys and email addresses of all registered commercial users are also available. It is noteworthy that, unlike statements about a million users, there are only 20 thousand records in the database.
The application is written in Visual Basic and is performed using the interpreter gambas .
.
Separate attention deserves reaction Distributive developers. After the publication of information about security problems, they released an update in which they did not eliminate the problem itself, but only changed the name of the database, login and password, and also changed the logic of obtaining accounting data and tried to deal with the trace of the program. Instead of sewn -in -law, the LinuxFX developers themselves added loading parameters to the database from an external server using the Curl utility. To protect after launch, the search and removal of all running processes “Sudo”, “Stapbp” and “*-BPFCC” in the system, apparently believing that they can interfere with the work for tracing.
was implemented.
