• Always report not working content or content with broken links! We will delete them.

    Use the FILTER (keywords) or SEARCH to get your wanted content more easily.

Tutorial How to use XSS to execute arbitrary code in Evernote

Hacking Father 8

Hacking Father


The content of the article
  • Booth
  • First Steps
  • From XSS to RCE
  • Vulnerability Demonstration (Video)
  • Conclusion

This vulnerability has been identified as CVE-2018-18524.

Evernote is one of the pioneers in cross-device note-taking services with sync capabilities. The public beta was released over a decade ago, in June 2008. Notes here are defined as fragments of formatted text, web pages in whole or in parts, photographs, audio files, or handwritten notes.

Notes can also contain attachments with other file types. Quite a handy thing that has become a part of the everyday life of the modern user. The number of Evernote users has now exceeded 200 million. Of course, Evernote clients are available on all major platforms: Android, iOS, macOS, and of course Windows.

An XSS vulnerability was discovered in the Windows version. Many researchers and auditors underestimate this type of attack and write it off. But before us is just an example of a case when XSS with a slight movement of the hand turns into remote command execution on the user's machine.

The vulnerability was initially discovered by @sebao, and then doped and promoted to RCE by researcher Tongqing Zhu from Knownsec 404 and sent to the vendor. All versions of the application below beta 6.16.1 were at risk. Let's see how this became possible.

Since only the Windows version of the application is vulnerable, we obviously need this OS. An XSS annotation can be created in almost any version below 6.15. I will be using 6.14.5 build 7671. The installation is standard.


Evernote 6.14.5 for Windows

After we create a note with a payload, it will work on any version below beta 6.16.1.
Why is there such confusion with versions? The fact is that since 6.15, developers have implemented user data sanitization: characters <, >and are filtered ". Therefore, it will no longer be possible to create a note with XSS in an application using legal methods.

The first steps
After installation, you need to register or log into your account, if you already have one. Create a new note and drag any picture there.
Top Bottom
AdBlock Detected

We get it, advertisements are annoying!

Sure, ad-blocking software does a great job at blocking ads, but it also blocks useful features of our website. For the best site experience please disable your AdBlocker.

I've Disabled AdBlock