Joplin 2.8.8 - Remote Command Execution
|Name||Joplin 2.8.8 - Remote Command Execution|
|Affected versions||Version 2.8.8|
|Kind||Remote command execution|
|Rule||004. Remote command execution|
|CVSSv3 Base Score||7.7|
Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the shell.openExternal function.
This vulnerability occurs due to improper scheme/protocol validation of external URLs. Here is a small example to give you a better understanding of vulnerability.
Basically what the application is doing is sending to shell.openExternal(url), any url present in the markdown file.
To achieve the RCE, the attacker will abuse certain schemes/protocols. Some of these only work on windows, others on MACos, others only work correctly under certain specific Linux distributions. In my case, I used Xubuntu 20.04 (Xfce) to simulate a victim. I chose this distribution because in its default configuration it executes the payload.desktop file after mounting the remote location where the payload file is located. In other Linux distributions by default these files are not executed once the remote location is mounted.
In the resources section I will provide you with support material so that you can understand in greater depth what I have just explained.
To exploit this vulnerability, you must send the following file to a user to open with Joplin:
In the Exec parameter you put the command you want the victim to execute.
[Desktop Entry] Exec=xmessage "RCE by cbelloatfluid" Type=Application
Evidence of exploitation
Our security policy
We have reserved the CVE-2022-40277 to refer to this issue from now on.
Version: Joplin 2.8.8
Operating System: GNU/Linux - Xubuntu 20.04 (Xfce)
There is currently no patch available for this vulnerability.
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
Vendor page https://github.com/laurent22/joplin