While browsing Twitter I’ve noticed in protocol handler. That sounds severe. As stated in official description, for application to be vulnerable is enough to register itself as default handler for some protocol. I had one application based on Electron installed on my laptop that I was looking into some time ago — cryptocurrencies wallet. I knew that it registers itself as a handler for URI scheme. ElectronJS remote code execution vulnerability Exodus exodus:// Since no details about vulnerability were presented on the official blog post, I went straight to electron looking for recent commits. The following was a fix for vulnerability. Biggest change was a newly created file which implements few check for command line arguments. Github commit command_line_args.cc _electron - Build cross platform desktop apps with JavaScript, HTML, and CSS_github.com electron/electron Basically, the code checks command line arguments against a blacklist. Based on that, it can be assumed that it is possible to inject command line arguments via URI handler**.** Electron based applications are basically bunch of Javascript and HTML files rendered by Chromium for front-end and nodejs for back-end. And Chromium and nodejs is bundled inside main executable file. Those strings of blacklist in fix commit is command line switches for Chromium and nodejs. Seems that to exploit vulnerability we only need to find command line option in Chromium or nodejs that allows to spawn additional process. To test if it is really possible to inject arguments to Exodus.exe via protocol I created HTML file: <!doctype html><script>window.location = 'exodus://aaaaaaaaa --aaaaa='</script> Exodus wallet was launched with the following arguments. Payload was wrapped with double quotes. Nevertheless, double quote was not filtered out or sanitized before passing as command line arguments. The following allowed to inject additional command line switch. <!doctype html><script>window.location = 'exodus://aaaaaaaaa" --aaaaa=bbbb'</script> For remote code execution it is needed to find nice Chromium command line switch that allows to execute additional command. I found containing nicely summarized list of Chromium command line switches. looked promising. page gpu-launcher — gpu-launcher Extra command line options for launching the GPU process (normally used for debugging). Use like renderer-cmd-prefix. Time to try it. <!doctype html><script>window.location = 'exodus://aaaaaaaaa" --gpu-launcher="cmd" --aaaaa='</script> Exodus wallet was quick to release an update, it was released shortly after announcement of vulnerability. Also, it does a good job by pushing an update for end users by displaying messages, nevertheless update is not automatic and user still has to confirm an update. Anyway, there is ton of desktop applications based on Electron, so better check if any app running on your machine is based on Electron and make sure it is patched.

BUNCH

Twitter

Too Long; Didn't Read

In your car, at home, or at work — Bosch technology shapes many areas of life.

Exploiting Electron RCE in Exodus wallet

Too Long; Didn't Read

Companies Mentioned

Tomas Lažauninkas

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Exploiting Electron RCE in Exodus wallet

Too Long; Didn't Read

Companies Mentioned

Tomas Lažauninkas

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES