Once you’ve done the above, delete everything above this line.
Steps to reproduce
Move any executable file into vault > Click File > File is executed without warning
Did you follow the troubleshooting guide? [Y/N] Y
I attempting this in my local vault in restricted mode.Expected result
I expected the application not to recognize the file extension at all, and not render it in the application. At a minimum, I would have expected a pop up message upon clicking the file.
Actual result
When I clicked on the file (exploitable with .py and .c files), the file was executed without warning. My machine does not have root privileges, so I created a .py file with a test to confirm if executing the script would indeed allow a malicious actor to execute commands through the application. By default, Windows users’ first user is given administrator privileges so this action would successfully execute without the user’s knowledge. Below is the simple script I created to test if clicking the file would execute or open the file for editing:
def check_admin_privileges():
try:
# Attempt to create a directory in a protected location
os.mkdir("C:\\Windows\\System32\\TestDir")
except PermissionError as e:
input(f"PermissionError: You do not have the required administrative privileges. {e}")
else:
input("Directory created successfully. You have administrative privileges.")
# Clean up if the directory was actually created
os.rmdir("C:\\Windows\\System32\\TestDir")
if __name__ == "__main__":
check_admin_privileges()
Environment
SYSTEM INFO:
Obsidian version: v1.6.3
Installer version: v1.5.12
Operating system: Windows 10 Home 10.0.22631
Login status: not logged in
Insider build toggle: off
Live preview: on
Base theme: adapt to system
Community theme: Minimal v7.5.4
Snippets enabled: 0
Restricted mode: on
RECOMMENDATIONS:
Custom theme and snippets: for cosmetic issues, please first try updating your theme and disabling your snippets. If still not fixed, please try to make the issue happen in the Sandbox Vault or disable community theme and snippets.
Additional information
It is worth noting, i did locate an earlier post regarding arbitrary code execution with PDF.js files. I thought to go ahead and test that out myself and was unable to get my .js file to execute. It used another simply function to print hello to the console as a proof of concept. This actually didn’t work, which I expected after reading that this has been addressed in an earlier release. When I click on my file, it simply does nothing.
What started my testing of this was that I created an internal link and thought what may happen if I ended the file in a “.py”. I created a file called “testing.py”, and nothing special happened. When I opened the directory from the file explorer, I understood why. It updated the file name to actually read “testing.py.md”. Through the explorer, I was able to manually update the name to “testing.py” and obsidian simply accepted the updated file in the directory and displayed it int he UI with a lightened “PY” next to the file name. Upon clicking the file, the script was executed with the version of python in PATH. As most OS will ship with python onboard and/or future software will automatically download it as part of its functionality, this could be a problem if users were to accidentally open a file of this kind within in the application.