Zettlr 2.3.0 - Local File Read

Summary

NameZettlr 2.3.0 - Local File Read
Code nameAvicii
ProductZettlr
Affected versionsVersion 2.3.0
StatePublic
Release date2022-09-26

Vulnerability

KindInsecure or unset HTTP headers - Content-Security-Policy
Rule043. Insecure or unset HTTP headers - Content-Security-Policy
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSSv3 Base Score5.5
Exploit availableYes
CVE ID(s)CVE-2022-40276

Description

Zettlr version 2.3.0 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Zettlr. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them.

Vulnerability

This vulnerability occurs because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them. Because of the above, an attacker can embed malicious JS code in a markdown file and send it to the victim to view and thus achieve an exfiltration of their local files.

More about this functionality here: https://docs.zettlr.com/en/core/print-preview/

Exploitation

To exploit this vulnerability, you must send the following file to a user to open with Zettlr. The exploit is triggered when the user presses CTRL+P or simply clicks print.

exploit.md

<script>fetch("file:///etc/private").then(response => response.text()).then(leak => alert(leak))</script>

Evidence of exploitation

LocalFileRead

Our security policy

We have reserved the CVE-2022-40276 to refer to this issue from now on.

System Information

  • Version: Zettlr 2.3.0

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/Zettlr/Zettlr

Timeline

Time-lapse-logo

2022-09-07

Vulnerability discovered.

Time-lapse-logo

2022-09-08

Vendor contacted.

Time-lapse-logo

2022-09-26

Public Disclosure.