Zettlr 2.3.0 - Local File Read

Summary

NameZettlr 2.3.0 - Local File Read
Code nameAvicii
ProductGridea
Affected versionsVersion 2.3.0
StatePublic
Release date2022-09-26

Vulnerability

KindInsecure or unset HTTP headers - Content-Security-Policy
Rule043. Insecure or unset HTTP headers - Content-Security-Policy
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSSv3 Base Score5.5
Exploit availableYes
CVE ID(s)CVE-2022-40276

Description

Zettlr version 2.3.0 allows an external attacker to read arbitrary local files remotely on any client that attempts to print a malicious file, via Zettlr. This is possible because the application does not properly validate the content of the files before launching the "preview" of the file in HTML format.

Vulnerability

This vulnerability occurs due to lack of validation in the content of the files that you want to print from zettlr. When we want to print a document, a "preview" of the document is opened. At this moment any JS code present in any type of file accepted by the application is executed. The reason why the XSS payload is executed for any type of file is that the preview generates an HTML version of the file in question. This is why in the end it doesn't matter what type of file we deliver to the user.

More about this functionality here: https://docs.zettlr.com/en/core/print-preview/

Exploitation

To exploit this vulnerability, you must send the following file to a user to open with Zettlr. The exploit is triggered when the user presses "CTRL+P" or simply clicks "print".

exploit.md

<script>fetch("file:///etc/private").then(response => response.text()).then(leak => alert(leak))</script>

Evidence of exploitation

LocalFileRead

Our security police

We have reserved the CVE-2022-40276 to refer to this issue from now on.

System Information

  • Version: Zettlr 2.3.0

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from the Offensive Team of Fluid Attacks.

References

Vendor page https://github.com/Zettlr/Zettlr

Timeline

Time-lapse-logo

2022-09-07

Vulnerability discovered.

Time-lapse-logo

2022-09-08

Vendor contacted.

Time-lapse-logo

2022-09-26

Public Disclosure.