https://feed.craftedsignal.io/products/note-mark/backend/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 09 Jan 2024 15:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-note-mark-rce/Tue, 09 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-note-mark-rce/Note Mark is vulnerable to arbitrary file write via path traversal in asset names, leading to remote code execution by overwriting system binaries such as /bin/bash.Note Mark versions 0.19.2 and earlier contain an arbitrary file write vulnerability that leads to remote code execution. Authenticated users can upload assets to notes via POST /api/notes/{noteID}/assets, with the asset filename taken directly from the X-Name HTTP header. The application fails to sanitize this filename, storing it directly in the database. When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed into filepath.Join() calls. An attacker-controlled asset name containing directory traversal sequences (e.g., ../) allows writing files to arbitrary locations, which can be escalated to RCE by overwriting system binaries, such as /bin/bash. The vulnerability is present in Note Mark’s backend component.

Attack Chain

1. Attacker registers an account and authenticates to the Note Mark application.
2. Attacker creates a notebook using a POST request to /api/books.
3. Attacker creates a note within the notebook using a POST request to /api/books/<BOOK_ID>/notes.
4. Attacker uploads an asset with a malicious payload and a path traversal filename in the X-Name header to /api/notes/<NOTE_ID>/assets. The X-Name header contains a path traversal sequence targeting a sensitive file like /bin/bash.
5. The application stores the unsanitized filename (including the path traversal) in the database.
6. An administrator triggers a data export using note-mark migrate export-v1 --export-dir /data/backup or note-mark migrate export.
7. The export process uses the unsanitized filename in filepath.Join(), causing a file to be written to the attacker-specified location (e.g., overwriting /bin/bash).
8. The next time bash is invoked, the attacker’s payload executes, resulting in code execution as root.

Impact

Successful exploitation allows an attacker to overwrite arbitrary files on the system with root privileges, leading to complete system compromise. Overwriting /bin/bash results in RCE the next time any user invokes bash. The number of affected installations is unknown, but the vulnerability exists in version 0.19.2 and earlier.

Recommendation

• Deploy the Sigma rule to detect asset uploads with path traversal sequences in the X-Name header.
• Apply filepath.Base() to the X-Name header value in backend/handlers/assets.go before storing it in the database, as described in the advisory.
• Apply filepath.Base() to asset.Name in backend/cli/migrate.go at lines 328 and 223 before using it in file path construction.
• Upgrade to a patched version of Note Mark which addresses CVE-2026-44522.

]]>highadvisorypath-traversalrceweb-applicationhttps://feed.craftedsignal.io/briefs/2024-01-note-mark-jwt-vuln/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-note-mark-jwt-vuln/Note Mark is vulnerable to a JWT secret weakness that allows for full account takeover via token forgery by accepting secrets as short as 1 byte, enabling attackers to crack the signing secret offline and forge valid JWTs for any user.Note Mark is vulnerable to a critical security flaw related to the handling of JWT secrets. Specifically, the application does not enforce a minimum length or entropy on the JWT_SECRET configuration value. This means that the application accepts any base64-decodable secret, regardless of its size, even secrets as short as a single byte. According to RFC 7518 Section 3.2, HS256 keys must be at least 256 bits (32 bytes), but this is not enforced in Note Mark. This vulnerability, identified as CVE-2026-44523, allows attackers to compromise user accounts completely.

Attack Chain

1. Deploy a vulnerable instance of Note Mark with a weak JWT_SECRET (less than 32 bytes after base64 decoding).
2. An attacker registers a new user account on the vulnerable Note Mark instance.
3. The attacker captures a valid Auth-Session-Token cookie from the registration or login process.
4. The attacker uses offline brute-force or dictionary attacks to crack the weak signing secret, such as using a Python script to decode the token with different secret values.
5. Once the secret is recovered, the attacker forges a new JWT for an arbitrary user UUID, potentially including an administrator account, and extends the expiry time.
6. The attacker sends the forged token in a request to the server.
7. The server incorrectly validates the forged token due to the compromised secret.
8. The server returns a 200 OK response, authenticating the attacker as the targeted user, granting unauthorized access to sensitive data and functionality.

Impact

Successful exploitation of this vulnerability allows an attacker to perform full account takeover across the entire Note Mark application. The attacker can forge valid JWTs for any user, including administrators, without needing to know any actual user credentials. There is no server-side detection or rate-limiting possible, allowing the attacker to gain complete control over user accounts and data, potentially leading to data breaches, unauthorized modifications, and complete system compromise.

Recommendation

• Enforce a minimum length of 32 bytes (256 bits) for JWT secrets after base64 decoding to prevent brute-force attacks. This directly addresses the core vulnerability (CVE-2026-44523).
• Reject weak secrets during configuration parsing within the Base64Decoded.UnmarshalText function or during config validation to prevent deployment with insecure secrets.
• Deploy the Sigma rule Detect Weak JWT Secret Usage to identify potentially vulnerable Note Mark instances that do not meet the minimum key size requirements.

]]>criticaladvisoryjwtaccount-takeovervulnerability