Vulnerability in Evernote allowed to read files and execute arbitrary commands

Evernote developers have fixed vulnerability CVE-2018-18524 in Windows application by first releasing version 6.16.1 beta and then Evernote 6.16.4. The bug was discovered by Knownsec and posed a danger to versions under 6.15.

The researchers said publicly that the vulnerability allowed the remote attacker to launch arbitrary programs on the victim’s machine and execute commands, all they needed to do was share a note with the user, forcing to view it. The bug was a so-called stored XSS, that is, a “stored” or “permanent” XSS vulnerability.

Knownsec analysts say that the problem was fixed in two stages. The fact is that initially a dangerous XSS-bug was found by an information security specialist known as Sebao. He found that if you add an image to an Evernote note and then rename it, you can embed JavaScript code in the name. By sharing such a note with another user, the code will be executed when the recipient clicks on the picture.

However, the developers have fixed this problem in September this year. Knownsec specialists noticed that the vulnerability was not completely eliminated, and the ability to embed arbitrary code in the name of the attached image was still preserved. In fact, the developers only banned the use of the symbols <,>, "in the names.

Continuing to study the problem, the researchers found that the image name can still be embedded in the code to download the .js file from a remote server, and use NodeWebKit, used by Evernote in the presentation mode. That is, the exploitation of the problem required that the user not only opened the malicious note, but did so in the presentation mode. The rest of the XSS vulnerability was still in place.