Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
51 lines (40 sloc) 2.8 KB

ACTIVE-2019-009: join.me URI Handler Remote Command Execution

Vulnerability Type:

Remote Command Execution

Vendors:

LogMeIn, Inc.

CVE ID:

CVE-2019-13637

Affected Products:

  • join.me Version 3.15.0.5495 and older for Windows

Summary:

A vulnerability in the join.me, could allow an attacker to execute arbitrary commands on a targeted system. This vulnerability is due to unsafe search paths used by the application URI that is defined in Windows operating systems. An attacker could exploit this vulnerability by convincing a targeted user to follow a malicious link. Successful exploitation could cause the application to load libraries from the directory targeted by the URI link. The attacker could use this behavior to execute arbitrary commands on the system with the privileges of the targeted user if the attacker can place a crafted library in a directory that is accessible to the vulnerable system.

Mitigation:

The vendor has released a patch in version 3.16.0.5505 addressing this vulnerability.

Credit:

This vulnerability was found by Hashim Jawad of ACTIVELabs.

References:

Disclosure Timeline:

  • 05-03-19: ACTIVELabs contacted LogMeIn via Twitter, no response
  • 05-03-19: ACTIVELabs contacted join.me via Twitter
  • 05-04-19: ACTIVELabs contacted LogMeIn security team via Email
  • 05-06-19: join.me provided LogMeIn security team contact
  • 05-06-19: LogMeIn security team requested more information
  • 05-06-19: ACTIVELabs sent vulnerability report
  • 05-14-19: ACTIVELabs requested an update
  • 05-21-19: ACTIVELabs sent vulnerability details to CERT/CC
  • 06-17-19: LogMeIn security team responded stating they did not receive the initial report due attachment restrictions and requested sending PoC through other means
  • 06-17-19: ACTIVELabs sent vulnerability report
  • 06-19-19: ACTIVELabs requested an update
  • 06-21-19: LogMeIn security team responded stating they are working on fix
  • 07-01-19: ACTIVELabs requested an update
  • 07-02-19: LogMeIn security team informed ACTIVELabs that fix is being gradually rolled out to customers
  • 07-02-19: ACTIVELabs asked about timeline for requesting CVE entry from MITRE
  • 07-09-19: LogMeIn security team asked to hold off requesting CVE entry for a week due to fix release issues
  • 07-09-19: ACTIVELabs informed LogMeIn security team that a CVE entry will be requested on July 17, 2019
  • 07-15-19: LogMeIn security team confirmed a patch was released in version 3.16.0.5505 and requested ACTIVELabs to test patch
  • 07-16-19: ACTIVELabs confirms patch works as expected
  • 07-17-19: ACTIVELabs publishes this advisory
  • 07-17-19: ACTIVELabs request CVE entry from MITRE
You can’t perform that action at this time.