A local file path traversal issue exists in Typora version 0.9.9.24.6 (2400) for macOS which allows an attacker to execute arbitrary programs.
Technical observation
A crafted URI can be used in a note to perform this attack using file:/// as an argument or by traversing to any directory like (../../../../something.app)
Since it also have a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes to the victim to perform further attacks.
This allows a directory traversal attack. However, HTA based applications are not allowed to call such local file via abusing URI schemes, other alternative applications prevent such attack. Also, you can abuse multiple URI schemes such as ms-word://, etc. Hope this helps.
Summary
A local file path traversal issue exists in Typora version 0.9.9.24.6 (2400) for macOS which allows an attacker to execute arbitrary programs.
Technical observation
A crafted URI can be used in a note to perform this attack using file:/// as an argument or by traversing to any directory like (../../../../something.app)
Since it also have a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes to the victim to perform further attacks.
Video PoC: Typora.mov.zip
The text was updated successfully, but these errors were encountered: