Remote code execution vulnerability #384
Description
Hey, I've discovered a vulnerability in obsidian-annotator. I'm sticking to GitHub's default template for advisories (maybe consider adding a SECURITY.md):
Summary
Opening an ebook with malicious scripts inside can lead to remote code execution on the users's machine.
Testing was done with Obsidian 1.5.12 and Annotator 0.2.11 on Windows.
Details
Because of the epub.js configuration option allowScriptedContent = true, it is possible to execute arbitrary JavaScript code from within an epub file:
epub.js itself uses an iframe to display the epubs. While it does set the sandbox attribute, it also sets allow-same-origin. This can't be changed by the consumer of the library. A combination of allow-scripts and allow-same-origin renders the sandboxing obsolete (see here).
The developers of epub.js warn about this.
In the case of obsidian-annotator, exploitation is really simple, as the attacker has access to the node integration.
PoC
An ebook can be crafted with Calibre to include this bare minimum script:
window.top.require("child_process").execSync("calc");That's it!
Impact
Users have to point the annotation-target to a malicious file (be that on the local or a remote system) and start to annotate it.
However, the attacker doesn't have to prepare a book specifically for obsidian-annotator, but can use some fingerprinting to determine in what environment it's running.
Distribution of malicious books could be done via pirate sites or even (online) conversion services, which could inject those malicious scripts.
Some ideas
In an ideal world, scripted content would be turned off. There are, however, limitations with that approach.
The author of foliate sums it up nicely here.
Maybe the user could be given the option to toggle scripted content.
That's it! If something's unclear, please ask away.
Cheers
Frederic
PS: Audio warning for the PoC video!