Zettlr 2.3.0 - Local File Read

Summary

Vulnerability

Description

Zettlr version 2.3.0 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Zettlr. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them.

Vulnerability

This vulnerability occurs because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them. Because of the above, an attacker can embed malicious JS code in a markdown file and send it to the victim to view and thus achieve an exfiltration of their local files.

More about this functionality here: https://docs.zettlr.com/en/core/print-preview/

Exploitation

To exploit this vulnerability, you must send the following file to a user to open with Zettlr. The exploit is triggered when the user presses CTRL+P or simply clicks print.

exploit.md

<script>fetch("file:///etc/private").then(response => response.text()).then(leak => alert(leak))</script>

Evidence of exploitation

Our security policy

We have reserved the CVE-2022-40276 to refer to this issue from now on.

• https://fluidattacks.com/advisories/policy/

System Information

• Version: Zettlr 2.3.0

• Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/Zettlr/Zettlr

Timeline