XSS flaw in Evernote allows attackers to execute commands and steal files

Security expert discovered a stored XSS flaw in the Evernote app for Windows that could be exploited to steal files and execute arbitrary commands.

A security expert that goes online with the moniker @sebao has discovered a stored cross-site scripting (XSS) vulnerability in the Evernote application for Windows that could be exploited by an attacker to steal files and execute arbitrary commands.

The expert noticed that when a user adds a picture to a note and then renames it, it could use a JavaScript code instead of a name. Sebao discovered that if the note was shared with another Evernote user, the code would get executed when the recipient clicked on the picture.

In September, Evernote addressed the stored XSS flaw with the release of the version 6.16., but the fix was incomplete.

The expert TongQing Zhu from Knownsec 404 Team discovered that it was still possible to execute arbitrary with a variant of the above trick.

TongQing Zhu discovered that the code used instead of the name could load a Node.js file from a remote server, the script is executed via NodeWebKit that is used by Evernote in presentation mode.

“I find Evernote has a NodeWebKit in C:\\Program Files(x86)\Evernote\Evernote\NodeWebKit and Present mode will use it. Another good news is we can execute Nodejs code by stored XSS under Present mode.” explained TongQing Zhu.

The attacker only needs to trick an Evernote into opening a note in presentation mode, in this way he will be able to steal arbitrary files and execute commands.

TongQing Zhu showed how a hacker could exploit the vulnerability to read a Windows file and execute the Calculator application on the targeted system.

The flaw was tracked as CVE-2018-18524 and was initially addressed with the release of Evernote for Windows 6.16.1 beta in October. The final patch was released earlier this month with the release of Evernote 6.16.4.

TongQing Zhu has published two PoC videos for the exploitation of the flaw:

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – XSS, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.