On that page, users are prompted to click the link to download or preview a document that has apparently been shared using “Secured Microsoft Azure for OneDrive Cloud.”įigure 2. The phishing emails contain a link that leads to a page on Evernote. And it is this sharing feature that is exploited by threat actors to spread malicious PDF files via phishing emails.įigure 1. The final patch was released earlier this month with the release of Evernote 6.16.4.Evernote notebooks can be shared within the platform and through public links.
The flaw was tracked as CVE-2018-18524 and was initially addressed with the release of Evernote for Windows 6.16.1 beta in October. TongQing Zhu showed how a hacker could exploit the vulnerability to read a Windows file and execute the Calculator application on the targeted system.
The attacker only needs to trick an Evernote into opening a note in presentation mode, in this way he will be able to steal arbitrary files and execute commands. Another good news is we can execute Nodejs code by stored XSS under Present mode. “I find Evernote has a NodeWebKit in C:\\Program Files(x86)\Evernote\Evernote\NodeWebKit and Present mode will use it. TongQing Zhu discovered that the code used instead of the name could load a Node.js file from a remote server, the script is executed via NodeWebKit that is used by Evernote in presentation mode. The expert TongQing Zhu from Knownsec 404 Team discovered that it was still possible to execute arbitrary with a variant of the above trick.
In September, Evernote addressed the stored XSS flaw with the release of the version 6.16., but the fix was incomplete. The expert noticed that when a user adds a picture to a note and then renames it, it could use a JavaScript code instead of a name. Sebao discovered that if the note was shared with another Evernote user, the code would get executed when the recipient clicked on the picture.
0 kommentar(er)
