XSS and RCE marked down for vulnerabilities
These security problems impact projects that make use of the library, including HackMD, a popular collaborative markdown note editor.
The first two XSS exploits were easy to trigger but, for the third, callback functions need to be defined, according to Zhou.
Early attempts to trigger the third XSS payload resulted in the software's Content Security Policy (CSP) blocking Zhou’s efforts.
Anatomy of an RCE bug
The researcher then turned his attention specifically to the desktop version of HackMD to see if an RCE could be triggered.
Electron renders web pages from hackmd.io using a renderer.js script in a privileged context.
Zhou found that it was possible to use an XSS flaw to redirect pages from hackmd.io to a malicious page containing a payload in the page title, triggering RCE.
The XSS exploit was reported to HackMD on July 3, followed by the private disclosure of the RCE issue roughly a week later.
HackMD told The Daily Swig: “Developed and operated by a small start-up of four developers, HackMD is known for its rendering of a wide array of users’ input.
“We are humbled by the variety of ways things could go wrong and learned from this episode that properly escaping user inputs is paramount in developing a safe and trustworthy markdown renderer.
“We deeply appreciate our community’s vigilance in helping us improve the security aspect of HackMD.”
Users of HackMD are encouraged to upgrade Mermaid to version 8.2 to mitigate the risk of exploit.
“We’ve always prioritized the security issues the community brought to our attention and promise we will continue in doing so,” HackMD added.
“We look forward to keep building a developer tool that helps developers do documentation right efficiently, and more importantly, safely, for our community."
Zhou initially presented his findings at a talk during the DEF CON 27 hacking conference this past August.
This article has been updated to include comment from HackMD.