massCode Code execution (CVE-2020-8548)

    nikhil-mittal
    4-February-2020

A few days back I was looking for a tool to maintain my notes and important code snippets and I came across a tool called massCode

About massCode

massCode is one of the free and open-source code snippet manager tool build with the electron. Sometime back it was in trending on GitHub and also listed on electron website https://www.electronjs.org/apps/masscode

1

massCode makrdown editor

You can select different programming languages to render respecting code snippets but my interest was in markdown editor. Here is a quick image of how massCode markdown editor works

2 3

XSS in massCode makrdown editor

Next, As usual, I tried to inject the script tag to see if it gets executed

4

But nothing happened.

5

Again i tried to inject <a> tag as shown in below image 6

and luckily it worked this time. easy-peasy

7

Code execution in massCode

Since massCode is built on electron and we have XSS vulnerability at the same time. I quickly navigate to the source code available on GitHub, and figured out that nodeIntegration flag is set to true.

8 which means we can invoke node API’s. Next I created a simple XSS payload to open a calculator on windows

<a href="javascript:try{ const {shell} = require('electron'); shell.openExternal('file:C:/Windows/System32/calc.exe') }catch(e){alert(e)}">aaaaaaa</a>

poc-gif

This issue has been fixed in latest relase of massCode

Get to know more about our process, methodology & team!

Close the overlay

I am looking for
Please click one!

Latest news See all news

11-July-2020
Webinar, Online

Visit

Munawwar will give security professionals a comprehensive understanding of the ARM Architecture, reversing ARM binaries, exploiting vulnerabilities and the nuances of ARM shellcoding.

21-May-2020
Webinar, Online

Visit

Arun Magesh will be delivering a webinar on <em>Introduction to IoT Reversing Firmware</em> and discussing how to get started with IoT pentesting with hands-on.

25-April-2020
Workshop, Online

Visit

Ashfaq Ansari is conducting a workshop to get you started with kernel vulnerability analysis and exploitation in the Android platform.