Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS to Remote Code Execution vulnerability (via "nodeIntegration: true") #202

Open
ChampionLeake opened this issue Aug 18, 2023 · 1 comment
Labels
vulnerability Vulnerability
Milestone

Comments

@ChampionLeake
Copy link

Vulnerability:

nodeIntegration is set to true, which allows access to node features from the renderer process.
This can allow an attacker to escape out of the renderer process and execute code on the target’s computer.

How to reproduce the vulnerability:

  1. Simply create a new note.
  2. Embed the following code into the note:
    <a onmouseover="alert('lets do some calculus :D'); try{ const {shell} = require('electron'); shell.openExternal('file:C:/Windows/System32/calc.exe') }catch(e){alert(e)}">Open Calculator</a>
  3. Hover over the "Open Calculator" text.

Video Demonstration:

202308171930.mp4

Attacker to Victim Scenario:

An attacker can simply create a malicious markdown file, CheckOutMyNotes.md, and make it publicly available for download or trick the victims to downloading and opening the file with the knowte application.

Impact:

I have showcased my payload to open the calculator application as proof of concept for Remote Code Execution. However, alternative payloads could enable the attacker to achieve remote access to the target's system. Consequently, the potential impact on confidentiality, integrity, and availability stemming from this vulnerability should be categorized as significant.

@digimezzo digimezzo added the vulnerability Vulnerability label Aug 21, 2023
@digimezzo digimezzo added this to the Knowte v3.0.1 milestone Aug 21, 2023
@digimezzo
Copy link
Owner

@ChampionLeake Thank you for reporting this and for the detailed instructions to reproduce it. I've planned to fix this in the next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulnerability Vulnerability
Projects
None yet
Development

No branches or pull requests

2 participants