Stackfield Desktop App Path Traversal Vulnerability Leading to Remote Code Execution

A path traversal vulnerability has been identified in the Stackfield Desktop App for Windows and macOS, prior to version 1.10.2. This vulnerability exists in the decryption process of organizational data exports, where the 'filePath' property is not properly sanitized. As a result, a malicious export can write arbitrary content to any writable location on the victim's filesystem. Exploiting this vulnerability can lead to remote code execution, especially if the written file is a script that gets executed by the system.

Impact

Exploitation of this vulnerability allows for arbitrary file writes to attacker-controlled locations, with the potential for remote code execution if the written file is executed by the system.

Reproduction

To reproduce this vulnerability, an attacker must create a malicious encrypted export that exploits the path traversal flaw. This involves setting the 'filePath' and 'fileGuid' properties in a way that tricks the application into writing a file to a sensitive location, such as the Windows Startup folder or equivalent macOS persistence paths. Once the export is imported using the Stackfield Desktop App, the application will decrypt the contents and write the file to the specified location, leading to code execution.

Remediation

Users are advised to update the Stackfield Desktop App to version 1.10.2 or later.