Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Code Execution in Typora #2505

Open
RootUp opened this issue May 16, 2019 · 3 comments
Open

Code Execution in Typora #2505

RootUp opened this issue May 16, 2019 · 3 comments
Labels

Comments

@RootUp
Copy link

RootUp commented May 16, 2019

Summary

A local file path traversal issue exists in Typora version 0.9.9.24.6 (2400) for macOS which allows an attacker to execute arbitrary programs.

Technical observation

A crafted URI can be used in a note to perform this attack using file:/// as an argument or by traversing to any directory like (../../../../something.app)

Since it also have a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes to the victim to perform further attacks.

Video PoC: Typora.mov.zip

@abnerlee abnerlee added the bug label May 19, 2019
@operatorequals
Copy link

Cannot reproduce. A (better) PoC would help.
My version is the same, and the MacOS version is Mojave.
image

@RootUp
Copy link
Author

RootUp commented Jun 11, 2019

A simple and better PoC would be,

[Hello World](file:///../../../../etc/passwd)
[Hello World](file:///../../../../something.app)

This allows a directory traversal attack. However, HTA based applications are not allowed to call such local file via abusing URI schemes, other alternative applications prevent such attack. Also, you can abuse multiple URI schemes such as ms-word://, etc. Hope this helps.

@operatorequals
Copy link

It helped! I was able to reproduce it. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants