Pinokio URL Redirection Vulnerability Allowing Remote Code Execution
Vulnerability
A vulnerability in Pinokio version 3.6.23 allows for URL redirection that can lead to remote code execution. When a user visits an attacker-controlled webpage and agrees to open Pinokio, the application can be directed to execute malicious JavaScript files. This issue arises from an internal redirection flaw combined with path traversal, enabling the execution of arbitrary code without proper validation.
Impact
Exploitation of this vulnerability allows for remote code execution on the victim's machine.
Reproduction
To reproduce this vulnerability, first download and install Pinokio Desktop. Then, visit the proof-of-concept link provided in the references. When prompted, confirm to open Pinokio. This will trigger the internal redirection and path traversal vulnerabilities, leading to the execution of a JavaScript file that opens the Calculator application on macOS. The same technique could be used to execute more harmful commands.
Remediation
Users can update to Pinokio version 3.9.1 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.