{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/enchant97/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["note-mark/backend"],"_cs_severities":["high"],"_cs_tags":["path-traversal","rce","web-application"],"_cs_type":"advisory","_cs_vendors":["enchant97"],"content_html":"\u003cp\u003eNote Mark versions 0.19.2 and earlier contain an arbitrary file write vulnerability that leads to remote code execution. Authenticated users can upload assets to notes via \u003ccode\u003ePOST /api/notes/{noteID}/assets\u003c/code\u003e, with the asset filename taken directly from the \u003ccode\u003eX-Name\u003c/code\u003e HTTP header. The application fails to sanitize this filename, storing it directly in the database. When an administrator subsequently runs the data export CLI commands (\u003ccode\u003enote-mark migrate export-v1\u003c/code\u003e or \u003ccode\u003enote-mark migrate export\u003c/code\u003e), the stored asset name is passed into \u003ccode\u003efilepath.Join()\u003c/code\u003e calls. An attacker-controlled asset name containing directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) allows writing files to arbitrary locations, which can be escalated to RCE by overwriting system binaries, such as \u003ccode\u003e/bin/bash\u003c/code\u003e. The vulnerability is present in Note Mark\u0026rsquo;s backend component.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers an account and authenticates to the Note Mark application.\u003c/li\u003e\n\u003cli\u003eAttacker creates a notebook using a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/books\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker creates a note within the notebook using a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/books/\u0026lt;BOOK_ID\u0026gt;/notes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker uploads an asset with a malicious payload and a path traversal filename in the \u003ccode\u003eX-Name\u003c/code\u003e header to \u003ccode\u003e/api/notes/\u0026lt;NOTE_ID\u0026gt;/assets\u003c/code\u003e. The \u003ccode\u003eX-Name\u003c/code\u003e header contains a path traversal sequence targeting a sensitive file like \u003ccode\u003e/bin/bash\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application stores the unsanitized filename (including the path traversal) in the database.\u003c/li\u003e\n\u003cli\u003eAn administrator triggers a data export using \u003ccode\u003enote-mark migrate export-v1 --export-dir /data/backup\u003c/code\u003e or \u003ccode\u003enote-mark migrate export\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe export process uses the unsanitized filename in \u003ccode\u003efilepath.Join()\u003c/code\u003e, causing a file to be written to the attacker-specified location (e.g., overwriting \u003ccode\u003e/bin/bash\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe next time \u003ccode\u003ebash\u003c/code\u003e is invoked, the attacker\u0026rsquo;s payload executes, resulting in code execution as root.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to overwrite arbitrary files on the system with root privileges, leading to complete system compromise. Overwriting \u003ccode\u003e/bin/bash\u003c/code\u003e results in RCE the next time any user invokes \u003ccode\u003ebash\u003c/code\u003e. The number of affected installations is unknown, but the vulnerability exists in version 0.19.2 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect asset uploads with path traversal sequences in the \u003ccode\u003eX-Name\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eApply \u003ccode\u003efilepath.Base()\u003c/code\u003e to the \u003ccode\u003eX-Name\u003c/code\u003e header value in \u003ccode\u003ebackend/handlers/assets.go\u003c/code\u003e before storing it in the database, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eApply \u003ccode\u003efilepath.Base()\u003c/code\u003e to \u003ccode\u003easset.Name\u003c/code\u003e in \u003ccode\u003ebackend/cli/migrate.go\u003c/code\u003e at lines 328 and 223 before using it in file path construction.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Note Mark which addresses CVE-2026-44522.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-note-mark-rce/","summary":"Note Mark is vulnerable to arbitrary file write via path traversal in asset names, leading to remote code execution by overwriting system binaries such as /bin/bash.","title":"Note Mark Arbitrary File Write via Path Traversal Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-note-mark-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Enchant97","version":"https://jsonfeed.org/version/1.1"}