Summary
A code execution vulnerability exists in VNote, which allows an attacker to execute arbitrary programs on the victim's system.
Description
A crafted URI can be used in a note to perform this attack using file:/// as a link. For example, file:///C:/WINDOWS/system32/cmd.exe. This allows attackers to execute arbitrary programs by embedding a reference to a local executable file such as file:///C:/WINDOWS/system32/cmd.exe and file:///C:/WINDOWS/system32/calc.exe. This vulnerability can be exploited by creating and sharing specially crafted notes. An attacker could send a crafted note file and perform further attacks.
Affected Version Details
3.17.0
Steps To Reproduce:
Create a note in VNote.
For reproduction, use binaries from C:/WINDOWS/system32/ as it is universally available on Windows OS.
Click on "Insert" and select the "Link" option.
Provide the "Text" for the hyperlink (e.g., "Click Me") and the "Link" to the executable (e.g., file:///C:/WINDOWS/system32/cmd.exe). Also, change the title so that on hover, no one can notice anything unusual.
Click on the "Apply" button to create the hyperlink.
Right-click on the "Click Me" hyperlink and select "Open in browser". Observe that C:/WINDOWS/system32/cmd.exe is executed on the system.
Supporting Material/References:
Proof of Concept Video (VNote-POC-CE.mkv, VNote-POC-CE.mp4)
Screenshot of Version Used
image.png
Impact
Given VNote’s note-sharing feature, an attacker could exploit this vulnerability by sending crafted notes to victims, potentially leading to unauthorized code execution and further attacks.
Hijack-Everything Reporter
Summary
A code execution vulnerability exists in VNote, which allows an attacker to execute arbitrary programs on the victim's system.
Description
A crafted URI can be used in a note to perform this attack using file:/// as a link. For example, file:///C:/WINDOWS/system32/cmd.exe. This allows attackers to execute arbitrary programs by embedding a reference to a local executable file such as file:///C:/WINDOWS/system32/cmd.exe and file:///C:/WINDOWS/system32/calc.exe. This vulnerability can be exploited by creating and sharing specially crafted notes. An attacker could send a crafted note file and perform further attacks.
Affected Version Details
3.17.0
Steps To Reproduce:
Create a note in VNote.
For reproduction, use binaries from C:/WINDOWS/system32/ as it is universally available on Windows OS.
Click on "Insert" and select the "Link" option.
Provide the "Text" for the hyperlink (e.g., "Click Me") and the "Link" to the executable (e.g., file:///C:/WINDOWS/system32/cmd.exe). Also, change the title so that on hover, no one can notice anything unusual.
Click on the "Apply" button to create the hyperlink.
Right-click on the "Click Me" hyperlink and select "Open in browser". Observe that C:/WINDOWS/system32/cmd.exe is executed on the system.
Supporting Material/References:
Proof of Concept Video (VNote-POC-CE.mkv, VNote-POC-CE.mp4)
Screenshot of Version Used
image.png
Impact
Given VNote’s note-sharing feature, an attacker could exploit this vulnerability by sending crafted notes to victims, potentially leading to unauthorized code execution and further attacks.