[CVE-2020-22721]- Pnotes Insecure .exe File Upload Vulnerability – code execution

Product Owner: PNotes – Andrey Gruber © 2007 – 2020

Type:  Installable/Customer-Controlled Application

Application Name: PNotesNET version 3.8.1.2

Managing your day-to-day life is not an easy job to do. There are so many things for concern – housekeeping, shopping, children… And what about cousin’s birthday that you always forget or important phone numbers? Undoubtedly your working place is covered with dusty yellow (or blue, or pink) sticky notes. If so – PNotes is right for you. Throw the physical stickies away and replace them with virtual ones on your desktop.

PNotes (Pinned Notes or Portable Notes, use what you prefer) exists in two different editions:

  • PNotes – the older one, written entirely in plain C and Windows API (with Pelles C for Windows IDE)
  • PNotes.NET – the newer one, written in C#, requires .NET Framework 4.5

Product Url: https://pnotes-1932d.firebaseapp.com/home

Download Url:  https://sourceforge.net/projects/pnotes/files/PNotes.NET/Bin/PNotesNET3812Setup.exe/download

Application Release Date: 04 May 2019

Severity: High

Authentication: Required

Complexity: Medium

Vulnerability Name: Pnotes Insecure File Upload Vulnerability using (Miscellaneous – External Programs) and arbitrary code execution

Vulnerability Explanation: Pnotes is manily used for taking notes, especially a third party open source application. We can upload malicious .exe file via Miscellaneous – External programs and perform code execution via command line access.

PNotes Documentation – about External Programs use

Tested Os: Windows 10 Pro

Vulnerability Details:

Creating a malicious payload using msfvenom

Using Msfvenom we create malicious .exe file to upload

Transfer Malocious implant .exe file – Pnshell.exe to victim system :

Pnshell Upload in Miscellaneous – External programs

Uploading implant .Exe file
Click Run to Execute the external program – PnotesShell

Code Execution using Pnshell.exe :

Command Line Access:

Pnotes Revershell

Vendor Status:

[18.04.2020] Vulnerability discovered.
[18.04.2020] Vendor contacted.

[19.04.2020] CVE applied

[14.08.2020] CVE Assigned – CVE-2020-22721

References

https://pnotes-1932d.firebaseapp.com/news

https://pnotes-1932d.firebaseapp.com/home

Contact

Email– mr.anandmurugan@gmail.com

Twitterhttps://twitter.com/syh4ck

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s