Note Mark Path Traversal Vulnerability Leading to Arbitrary File Write and Remote Code Execution

A vulnerability in Note Mark versions 0.13.0 prior to 0.19.4 allows authenticated users to upload assets to notes without proper validation. The asset filename, provided through the X-Name HTTP header, is stored directly in the database, leaving it vulnerable to directory traversal attacks. When an administrator exports data using the CLI, the unsanitized asset name is used to create file paths, exploiting Go's path normalization to write files to arbitrary locations on the filesystem. This issue is particularly severe as the export process often runs with root privileges, enabling overwriting of critical system binaries like /bin/bash, which can then be exploited for remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file writes with root privileges, bypassing the intended export directory. This can lead to overwriting system binaries, such as /bin/bash, with malicious payloads, causing remote code execution as root. Additionally, writing to locations like /etc/cron.d/ or systemd unit files could provide further exploitation avenues.

Reproduction

To reproduce this vulnerability, upload an asset with a path traversal filename targeting a system binary, such as /bin/bash, using the X-Name header. After the asset is uploaded, trigger the export process as an administrator. The exported data will include the unsanitized asset name, which can be used to overwrite the targeted binary. Once the binary is replaced with the malicious payload, executing the binary will result in remote code execution as root.

Remediation

The vulnerability has been fixed in Note Mark version 0.19.4. Users should update to this version. For versions prior to 0.19.4, it is recommended to apply input validation on the X-Name header to reject asset names containing path separators or directory traversal sequences. Additionally, the export process should sanitize asset names by applying filepath.Base() before using them in file path constructions.