Tutorial - How to use XSS to execute arbitrary code in Evernote

XMAN

Active member
The content of the article
  • Booth
  • First Steps
  • From XSS to RCE
  • Vulnerability Demonstration (Video)
  • Conclusion

INFO
This vulnerability has been identified as CVE-2018-18524.

Evernote is one of the pioneers in cross-device note-taking services with sync capabilities. The public beta was released over a decade ago, in June 2008. Notes here are defined as fragments of formatted text, web pages in whole or in parts, photographs, audio files, or handwritten notes.

Notes can also contain attachments with other file types. Quite a handy thing that has become a part of the everyday life of the modern user. The number of Evernote users has now exceeded 200 million. Of course, Evernote clients are available on all major platforms: Android, iOS, macOS, and of course Windows.

An XSS vulnerability was discovered in the Windows version. Many researchers and auditors underestimate this type of attack and write it off. But before us is just an example of a case when XSS with a slight movement of the hand turns into remote command execution on the user's machine.

The vulnerability was initially discovered by @sebao, and then doped and promoted to RCE by researcher Tongqing Zhu from Knownsec 404 and sent to the vendor. All versions of the application below beta 6.16.1 were at risk. Let's see how this became possible.

Stand
Since only the Windows version of the application is vulnerable, we obviously need this OS. An XSS annotation can be created in almost any version below 6.15. I will be using 6.14.5 build 7671. The installation is standard.

095b3f8b8341e2c892245.jpg


Evernote 6.14.5 for Windows

After we create a note with a payload, it will work on any version below beta 6.16.1.
Why is there such confusion with versions? The fact is that since 6.15, developers have implemented user data sanitization: characters <, >and are filtered ". Therefore, it will no longer be possible to create a note with XSS in an application using legal methods.

The first steps
After installation, you need to register or log into your account, if you already have one. Create a new note and drag any picture there.
You must reply in thread to view hidden text.


ec55fe9aaf3508cc52cc0.jpg


Creating a new note in Evernote

The window can be closed, the data is saved automatically. Now let's see what format the application stores data in. To do this, go to the settings in the General section and find the Evernote local files section.

b70517411df875fe270df.jpg


There you need to click on the link Open Database folder. We find ourselves in the folder with the view profile files <имя_профиля>.exb. To open such a file, you will have to copy it or exit the Evernote application. Let's use any HEX editor to see the contents of the file.

d10074c124f1c825be4b6.jpg


As you can see, the title says that this is a regular SQLite version 3 database. Let's check it out. There are many applications that allow you to manipulate them. I am using DB Browser for SQLite. Install and open the EBX file in it. Among the many tables, there is resource_attr. This is where the data of items attached to notes, such as our pictures, is stored.

Hacking Father · Jul 30, 2021 at 9:37 AM

" style="cursor: pointer;"> 2ecad1774331f1efab584.jpg


View resource_attr table in Evernote profile file

The field file_namestores the current name of the attachment. It can be changed in the note itself by right-clicking on the picture and choosing Rename. Let's write something more meaningful here, for example " onclick="alert('XSS')">.jpg.

cdc3d019f6298efb2bd76.jpg


add XSS payload instead of image name

Now let's look at the base and look at the field again file_name.

Hacking Father · Jul 30, 2021 at 9:37 AM

" style="cursor: pointer;"> 5c9a6acb186e4d4828bf5.jpg


View resource_attr table after renaming an image

Now let's re-open the created note and click on the picture.

0d9aec0d9d2d226a31f6a.jpg


Stored XSS in Evernote

Bam! Caught an alert. This is because the editor uses HTML markup to format the data. Under the cut, there is an almost full-fledged browser with JavaScript and all sorts of additional buns. You can dig into the memory of the Evernote process and find what the code that displays the image looks like.

Code:

   



572d91578604cf0e80475.jpg


View HTML in memory of the Evernote process

The link en-resource://database/392:0points to the attachment with UID 392 in the database. As you saw above, this is our picture. The attribute contains data-filename data from the field file_name. This is where we introduce payload.

Code:
. jpg # 26138512 "/>

That is why the alert works out.
If you are using a newer version, in which user input is already filtered and you cannot create a picture with XSS, then you can change the field file_namedirectly in the table - this will also work.

Let's transform our payload into a more usable form:

Code:
">