You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I found that it is possible to call arbitrary commands using protocol handler onemore://... since CommandService.InvokeCommand calls CommandFactory.Invoke, which uses reflection to get a command to execute.
The problem with this is the url received from protocol handler may be malicious as it is possible to put something like <a href="onemore://..."></a> or use JavaScript to trigger it, so a attacker could abuse this together with UNC path and host a json on a samba server to get command execution on victim's machine.
For example, a victim visiting a webpage with the following html will see a browser prompt asking if they want to open Onemore or not. If the answer is yes and user also have OneNote currently opened then attacker would be able to execute calc.exe on victim's machine.
I found that it is possible to call arbitrary commands using protocol handler
onemore://...
since CommandService.InvokeCommand calls CommandFactory.Invoke, which uses reflection to get a command to execute.One of the command RunPluginCommand, which takes a path to json and will eventually call external process.
The problem with this is the url received from protocol handler may be malicious as it is possible to put something like
<a href="onemore://..."></a>
or use JavaScript to trigger it, so a attacker could abuse this together with UNC path and host a json on a samba server to get command execution on victim's machine.For example, a victim visiting a webpage with the following html will see a browser prompt asking if they want to open Onemore or not. If the answer is yes and user also have OneNote currently opened then attacker would be able to execute
calc.exe
on victim's machine.I think it would be good to whilelist some specific safe commands only to prevent this from happening.
The text was updated successfully, but these errors were encountered: