From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Ring \<3 Rootkitty" Subject: RCE through Org-protocol and org-babel Date: Tue, 26 Feb 2019 16:31:22 +1100 Message-ID: <0n60xmo96z86ad.fsf@rootkitty.tech> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([209.51.188.92]:39066) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gyVLD-0001KN-Ry for emacs-orgmode@gnu.org; Tue, 26 Feb 2019 00:31:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gyVLB-0003hM-5o for emacs-orgmode@gnu.org; Tue, 26 Feb 2019 00:31:43 -0500 Received: from wout2-smtp.messagingengine.com ([64.147.123.25]:42617) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gyVL9-0003Tv-0P for emacs-orgmode@gnu.org; Tue, 26 Feb 2019 00:31:41 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id BDB2032A6 for ; Tue, 26 Feb 2019 00:31:27 -0500 (EST) Received: from mel-mac-spud.local (unknown [220.244.208.226]) by mail.messagingengine.com (Postfix) with ESMTPA id 15920E423B for ; Tue, 26 Feb 2019 00:31:25 -0500 (EST) List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org Sender: "Emacs-orgmode" To: emacs-orgmode@gnu.org Hi all, Some time ago I discovered a method of executing remote code by controlling the content sent over org-protocol, escaping the capture template, and embedding a org-babel code block. Details are outlined in the blog post bellow. https://rootkitty.tech/post/rce-emacs-capture/ I don't really know if this is the right place to send it, but hey it's best that people are aware that this is possible, even if it involves user interaction to some extent. -- Ring <3 Rootkitty https://rootkitty.tech