转:https://hackernoon.com/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374

Exploiting Electron RCE in Exodus wallet

While browsing Twitter I’ve noticed ElectronJS remote code execution vulnerability in protocol handler. That sounds severe. As stated in official description, for application to be vulnerable is enough to register itself as default handler for some protocol. I had one application based on Electron installed on my laptop that I was looking into some time ago — Exodus cryptocurrencies wallet. I knew that it registers itself as a handler for exodus:// URI scheme.

Since no details about vulnerability were presented on the official blog post, I went straight to electron Github looking for recent commits. The following commit was a fix for vulnerability. Biggest change was a newly created file command_line_args.cc which implements few check for command line arguments.

Basically,
the code checks command line arguments against a blacklist. Based on
that, it can be assumed that it is possible to inject command line
arguments via URI handler.
Electron based applications are basically bunch of Javascript and HTML
files rendered by Chromium for front-end and nodejs for back-end. And
Chromium and nodejs is bundled inside main executable file. Those
strings of blacklist in fix commit is command line switches for Chromium
and nodejs. Seems that to exploit vulnerability we only need to find
command line option in Chromium or nodejs that allows to spawn
additional process.

To test if it is really possible to inject arguments to Exodus.exe via protocol I created HTML file:

<!doctype html>
<script>
  window.location = 'exodus://aaaaaaaaa --aaaaa='
</script>

Exodus wallet was launched with the following arguments.

 

Payload was wrapped with double quotes. Nevertheless, double quote was not filtered out or sanitized before passing as command line arguments. The following allowed to inject additional command line switch.

<!doctype html>
<script>
  window.location = 'exodus://aaaaaaaaa" --aaaaa=bbbb'
</script>
 

For remote code execution it is needed to find nice Chromium command line switch that allows to execute additional command. I found page containing nicely summarized list of Chromium command line switches. gpu-launcher looked promising.

— gpu-launcher Extra command line options for launching the GPU process (normally used for debugging). Use like renderer-cmd-prefix.

Time to try it.

<!doctype html>
<script>
  window.location = 'exodus://aaaaaaaaa" --gpu-launcher="cmd" --aaaaa='
</script>
 

Exodus wallet was quick to release an update, it was released shortly after announcement of vulnerability. Also, it does a good job by pushing an update for end users by displaying messages, nevertheless update is not automatic and user still has to confirm an update. Anyway, there is ton of desktop applications based on Electron, so better check if any app running on your machine is based on Electron and make sure it is patched.

转:Exploiting Electron RCE in Exodus wallet的更多相关文章

  1. 幕布V1.1.9最新版漏洞集合

    0X00 前言 幕布本人最早接触是在P神的知识星球里面看到P神推荐的,后来下了个用着还挺好用. 之前一直都放一些零零散散的笔记,最近整理的时候,一时兴起,本着漏洞源于生活的态度,遂对幕布的安全性做了些 ...

  2. vmware漏洞之四:简评USE-AFTER-SILENCE: EXPLOITING A QUIETLY PATCHED UAF IN VMWARE

    转:https://www.zerodayinitiative.com/blog/2017/6/26/use-after-silence-exploiting-a-quietly-patched-ua ...

  3. electron代码审计

    解包 Electron跨平台程序破解https://www.52pojie.cn/thread-563895-1-1.html Electron封装的跨平台程序破解的一般思路: 安装npm(至于如何安 ...

  4. 关于Electron框架应用的安全测试

    Electron框架应用的安全测试 0.Electron相关简介 electron.js是一个运行时框架,它在设计之初就结合了当今最好的Web技术,核心是使用HTML.CSS.JavaScript构建 ...

  5. Electron使用与学习--(页面间的通信)

    目录结构: index.js是主进程js. const electron = require('electron') const app = electron.app const BrowserWin ...

  6. Electron使用与学习--(基本使用与菜单操作)

    对于electron是个新手,下面纯属个人理解.如有错误,欢迎指出.   一.安装 如果你本地按照github上的 # Install the `electron` command globally ...

  7. Electron 不完全快速手册

    Electron能干嘛 Vscode 基于Electron开发的,他是用来开发桌面软件的,可以轻易的跨平台 他的前身是atomshell,图标很丑,不用在意,一点也不像vscode也不用在意.   L ...

  8. Electron中Jquery的引入方式

    原文链接http://huisky.com/blog/16122220522957 Electron默认启用了Node.js的require模块,而jQuery等新版本框架为了支持commondJS标 ...

  9. Electron的环境配置

    原文地址http://huisky.com/blog/161218121551123 本文介绍了Electron的环境配置,包括Electron下载.nodejs下载安装.NPM+Bower安装配置. ...

随机推荐

  1. DLL基本知识

    一.生成方式: 使用DEF文件定义导出接口或使用__declspec(dllexport)描述接口,编译链接后生成dll+lib,其中lib是导入库,里面只有对导出接口的描述,而没有具体实现. 二.链 ...

  2. CSS3实现文本垂直排列

    最近的一个项目中要使文字垂直排列,也就是运用了CSS的writing-mode属性. writing-mode最初时ie中支持的一个属性,后来在CSS3中增添了这一新的属性,所以在ie中和其他浏览器中 ...

  3. Centos下 自动化配置SSH免密码登陆

    hosts文件,存储要部署的节点IP地址,其中以#开头表示注释掉 192.168.101.52 192.168.101.53 192.168.101.54 192.168.101.55 192.168 ...

  4. 【算法日记】Dijkstra最短路径算法

    上一篇再说广度优先搜索的适合提到了图. 狄克斯拉特算法是在图的基础上增加了 加权图的概念.就是节点和节点之间是有不同距离的 1.算法实例 用Dijkstra算法找出以A为起点的单源最短路径步骤如下 算 ...

  5. codeforces Good bye 2016 E 线段树维护dp区间合并

    codeforces Good bye 2016 E 线段树维护dp区间合并 题目大意:给你一个字符串,范围为‘0’~'9',定义一个ugly的串,即串中的子串不能有2016,但是一定要有2017,问 ...

  6. CSS基础复习

    重新撸一遍CSS的基础,因为以前面试的时候被问到,突然发现某些概念搞不清楚,瞬间懵逼了,其实我都知道的,就是因为不会炒概念,导致面试官觉得我很low,你特么连这个都不知道还敢来面试,回家种田去好嘛! ...

  7. 【NOIP】普及组2010 三国游戏

    [算法]贪心 [题解]如果看重一对,先选择其中一个点,该点相邻最大的肯定被选走.所以答案就是最大的[所有点的次大连边点]啦. #include<cstdio> #include<al ...

  8. ue4 TimeRemaining(ratio)找不到的问题

    最近看ue4的Blueprint 3rd Person Game的教学视频,其中第十集https://docs.unrealengine.com/latest/INT/Videos/PLZlv_N0_ ...

  9. bzoj 1143 二分图最大独立集

    我们可以将一个点拆成两个点x,y,那么如果存在一条i->j的路径,我们就连接xi,yj,那么答案就是n-最大匹配数. 因为i->j所以对于i与j只能选一个,那么我们只需要求出来二分图的最大 ...

  10. 首次成功的web渗透

    web渗透 今天给大家讲一个最近做的一件令我振奋的一件事情 渗透培训刚刚结束的第二天 我在公网上挖到了我人生中的第一个站 总体来说个人真的很振奋人心      这个网站还没有进行更改但我已经通知了他们 ...