Joplin 2.8.8 - Remote Command Execution
7.7
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Joplin 2.8.8 - Remote Command Execution
Code name
State
Public
Release date
Sep 26, 2022
Affected product
Joplin
Affected version(s)
Version 2.8.8
Vulnerability name
Remote command execution
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS v3.1 base score
7.7
Exploit available
Yes
CVE ID(s)
Description
Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the shell.openExternal function.
Vulnerability
This vulnerability occurs due to improper scheme/protocol validation of external URLs. Here is a small example to give you a better understanding of vulnerability.
Basically what the application is doing is sending to shell.openExternal(url), any url present in the markdown file.
Exploitation requirements
To achieve the RCE, the attacker will abuse certain schemes/protocols. Some of these only work on windows, others on MACos, others only work correctly under certain specific Linux distributions. In my case, I used Xubuntu 20.04 (Xfce) to simulate a victim. I chose this distribution because in its default configuration it executes the payload.desktop file after mounting the remote location where the payload file is located. In other Linux distributions by default these files are not executed once the remote location is mounted.
In the resources section I will provide you with support material so that you can understand in greater depth what I have just explained.
Exploitation
To exploit this vulnerability, you must send the following file to a user to open with Joplin:
exploit.md
payload.desktop
In the Exec parameter you put the command you want the victim to execute.
Evidence of exploitation
Our security policy
We have reserved the CVE-2022-40277 to refer to this issue from now on. Disclosure policy
System Information
Version: Joplin 2.8.8
Operating System: GNU/Linux - Xubuntu 20.04 (Xfce)
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://github.com/laurent22/joplin
Timeline
Vulnerability discovered
Sep 7, 2022
Vendor contacted
Sep 8, 2022
Public disclosure
Sep 26, 2022
