XSS and RCE marked down for vulnerabilities

UPDATED A combination of cross-site scripting (XSS) vulnerabilities and possible remote code execution (RCE) attack impacting HackMD, the collaborative markdown tool, have been disclosed.

Junyu Zhou from Tencent Security Xuanwu Lab, also known as md5_salt, discovered the security issues and published a proof-of-concept (PoC) in a blog post late last week.

The XSS flaws stem from coding bugs in the Mermaid flow chart library, with three possible methods available to trigger the exploit.

Two of the potential attacks rely on the HTML code being rendered inappropriately, whereas the third relates to user interaction – the binding of a click event to a node – leading to the launch of a malicious link in a browser tab or a JavaScript callback.

These security problems impact projects that make use of the library, including HackMD, a popular collaborative markdown note editor.

The first two XSS exploits were easy to trigger but, for the third, callback functions need to be defined, according to Zhou.

Early attempts to trigger the third XSS payload resulted in the software's Content Security Policy (CSP) blocking Zhou’s efforts.

However, by injecting crafted JavaScript code via Google Analytics, which is whitelisted by HackMD’s CSP, Zhou was able to bypass HackMD’s CSP. The hack works when partnered with the abuse of HackMD jQuery functionality.

Anatomy of an RCE bug

The researcher then turned his attention specifically to the desktop version of HackMD to see if an RCE could be triggered.

The desktop version of the software utilizes the Electron framework, an open source project for building cross-platform apps with JavaScript, HTML, and CSS.

Electron renders web pages from hackmd.io using a renderer.js script in a privileged context.

Zhou found that it was possible to use an XSS flaw to redirect pages from hackmd.io to a malicious page containing a payload in the page title, triggering RCE.

The XSS exploit was reported to HackMD on July 3, followed by the private disclosure of the RCE issue roughly a week later.

HackMD acknowledged the security problems and managed to resolve the RCE on July 11, followed by a fix for the XSS vulnerability through a software update on July 29.

HackMD told The Daily Swig: “Developed and operated by a small start-up of four developers, HackMD is known for its rendering of a wide array of users’ input.

“We are humbled by the variety of ways things could go wrong and learned from this episode that properly escaping user inputs is paramount in developing a safe and trustworthy markdown renderer.

“We deeply appreciate our community’s vigilance in helping us improve the security aspect of HackMD.”

Users of HackMD are encouraged to upgrade Mermaid to version 8.2 to mitigate the risk of exploit.

“We’ve always prioritized the security issues the community brought to our attention and promise we will continue in doing so,” HackMD added.

“We look forward to keep building a developer tool that helps developers do documentation right efficiently, and more importantly, safely, for our community."

Zhou initially presented his findings at a talk during the DEF CON 27 hacking conference this past August.


This article has been updated to include comment from HackMD.