From 33ac8ac742972cfa7f0009b850989634b4531d0e Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Mon, 22 Sep 2025 18:34:55 +0000 Subject: [PATCH 1/3] Add content from: Electron Research in Desktop apps [Part 1] - Remove searchindex.js (auto-generated file) --- .../electron-desktop-apps/README.md | 54 ++++++++++++++++++- 1 file changed, 52 insertions(+), 2 deletions(-) diff --git a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md index ed124f26c..37ab1c872 100644 --- a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md +++ b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md @@ -136,6 +136,21 @@ If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Nod
+### Real-world case: Notable (CVE-2020-15174) + +- Root cause: Renderer ran with `webPreferences.nodeIntegration = true`, so any renderer XSS had direct access to Node APIs. +- Exploit: From the XSS primitive, spawn an OS process via child_process. + +```js +// renderer (XSS) with nodeIntegration: true +require('child_process').exec('calc.exe'); // Windows +require('child_process').exec('/System/Applications/Calculator.app'); // macOS +``` + +- Observed behavior: The app spawned a shell (e.g., `cmd.exe`) and launched Calculator, confirming renderer-to-OS code execution. +- Mitigations: Set `nodeIntegration: false`, enable `contextIsolation: true`, and expose only audited capabilities via `contextBridge` in a preload. +- References: GHSA-2q4g-w47c-4674 / CVE-2020-15174. + ## RCE: preload The script indicated in this setting is l**oaded before other scripts in the renderer**, so it has **unlimited access to Node APIs**: @@ -443,6 +458,38 @@ pentesting-web/content-security-policy-csp-bypass/ {{#endref}} +## RCE: Webview CSP + postMessage trust + local file loading (VS Code 1.63) + +This real-world chain affected Visual Studio Code 1.63 (CVE-2021-43908) and demonstrates how a single markdown-driven XSS in a webview can be escalated to full RCE when CSP, postMessage, and scheme handlers are misconfigured. Public PoC: https://github.com/Sudistark/vscode-rce-electrovolt + +Attack chain overview +- First XSS via webview CSP: The generated CSP included `style-src 'self' 'unsafe-inline'`, allowing inline/style-based injection in a `vscode-webview://` context. The payload beaconed to `/stealID` to exfiltrate the target webview’s extensionId. +- Constructing target webview URL: Using the leaked ID to build `vscode-webview:///.../`. +- Second XSS via postMessage trust: The outer webview trusted `window.postMessage` without strict origin/type checks and loaded attacker HTML with `allowScripts: true`. +- Local file loading via scheme/path rewriting: The payload rewrote `file:///...` to `vscode-file://vscode-app/...` and swapped `exploit.md` for `RCE.html`, abusing weak path validation to load a privileged local resource. +- RCE in Node-enabled context: The loaded HTML executed with Node APIs available, yielding OS command execution. + +Example RCE primitive in the final context +```js +// RCE.html (executed in a Node-enabled webview context) +require('child_process').exec('calc.exe'); // Windows +require('child_process').exec('/System/Applications/Calculator.app'); // macOS +``` + +Related reading on postMessage trust issues: + +{{#ref}} +../../../pentesting-web/postmessage-vulnerabilities/README.md +{{#endref}} + +Hardening guidance +- Default to `contextIsolation: true` and `nodeIntegration: false` in all windows/webviews. +- Expose only minimal, audited APIs via `contextBridge.exposeInMainWorld()` in a preload; never expose raw Node to untrusted content. +- Webview CSP: remove `'unsafe-inline'`; prefer nonces/hashes; restrict `allowScripts`; avoid loading extension-controlled HTML in untrusted frames. +- Message validation: enforce strict origin allowlists and message schema; never toggle script execution from untrusted messages. +- Scheme/resource guards: canonicalize and strictly constrain custom scheme mappings (e.g., `vscode-file://`), enforce allowlists, and prevent traversal/LFI into app resources. +- IPC: audit all endpoints and sanitize renderer-controlled inputs. + ## **Tools** - [**Electronegativity**](https://github.com/doyensec/electronegativity) is a tool to identify misconfigurations and security anti-patterns in Electron-based applications. @@ -587,6 +634,11 @@ Detection and mitigations ## **References** +- [SecureLayer7: Electron Research in Desktop apps (Part 1)](https://blog.securelayer7.net/electron-app-security-risks/) +- [VS Code RCE PoC (CVE-2021-43908) – electrovolt](https://github.com/Sudistark/vscode-rce-electrovolt) +- [GitHub Advisory GHSA-2q4g-w47c-4674 (CVE-2020-15174)](https://github.com/advisories/GHSA-2q4g-w47c-4674) +- [MSRC: CVE-2021-43908](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43908) + - [Trail of Bits: Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more](https://blog.trailofbits.com/2025/09/03/subverting-code-integrity-checks-to-locally-backdoor-signal-1password-slack-and-more/) - [Electron fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) - [Electron ASAR integrity](https://www.electronjs.org/docs/latest/tutorial/asar-integrity) @@ -607,5 +659,3 @@ Detection and mitigations - [https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html](https://blog.doyensec.com/2021/02/16/electron-apis-misuse.html) {{#include ../../../banners/hacktricks-training.md}} - - From e94fb5c22d5adf47433190440a8b37c47a2ff143 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Mon, 29 Sep 2025 23:19:13 +0200 Subject: [PATCH 2/3] Update README.md --- .../electron-desktop-apps/README.md | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md index 37ab1c872..13a9aec21 100644 --- a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md +++ b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md @@ -136,21 +136,6 @@ If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Nod
-### Real-world case: Notable (CVE-2020-15174) - -- Root cause: Renderer ran with `webPreferences.nodeIntegration = true`, so any renderer XSS had direct access to Node APIs. -- Exploit: From the XSS primitive, spawn an OS process via child_process. - -```js -// renderer (XSS) with nodeIntegration: true -require('child_process').exec('calc.exe'); // Windows -require('child_process').exec('/System/Applications/Calculator.app'); // macOS -``` - -- Observed behavior: The app spawned a shell (e.g., `cmd.exe`) and launched Calculator, confirming renderer-to-OS code execution. -- Mitigations: Set `nodeIntegration: false`, enable `contextIsolation: true`, and expose only audited capabilities via `contextBridge` in a preload. -- References: GHSA-2q4g-w47c-4674 / CVE-2020-15174. - ## RCE: preload The script indicated in this setting is l**oaded before other scripts in the renderer**, so it has **unlimited access to Node APIs**: From 284211ccdddca54f6675bed5dc9bca8767d5e832 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Mon, 29 Sep 2025 23:21:15 +0200 Subject: [PATCH 3/3] Update README.md --- .../pentesting-web/electron-desktop-apps/README.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md index 13a9aec21..69c967da5 100644 --- a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md +++ b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md @@ -467,14 +467,6 @@ Related reading on postMessage trust issues: ../../../pentesting-web/postmessage-vulnerabilities/README.md {{#endref}} -Hardening guidance -- Default to `contextIsolation: true` and `nodeIntegration: false` in all windows/webviews. -- Expose only minimal, audited APIs via `contextBridge.exposeInMainWorld()` in a preload; never expose raw Node to untrusted content. -- Webview CSP: remove `'unsafe-inline'`; prefer nonces/hashes; restrict `allowScripts`; avoid loading extension-controlled HTML in untrusted frames. -- Message validation: enforce strict origin allowlists and message schema; never toggle script execution from untrusted messages. -- Scheme/resource guards: canonicalize and strictly constrain custom scheme mappings (e.g., `vscode-file://`), enforce allowlists, and prevent traversal/LFI into app resources. -- IPC: audit all endpoints and sanitize renderer-controlled inputs. - ## **Tools** - [**Electronegativity**](https://github.com/doyensec/electronegativity) is a tool to identify misconfigurations and security anti-patterns in Electron-based applications. @@ -623,7 +615,6 @@ Detection and mitigations - [VS Code RCE PoC (CVE-2021-43908) – electrovolt](https://github.com/Sudistark/vscode-rce-electrovolt) - [GitHub Advisory GHSA-2q4g-w47c-4674 (CVE-2020-15174)](https://github.com/advisories/GHSA-2q4g-w47c-4674) - [MSRC: CVE-2021-43908](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43908) - - [Trail of Bits: Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more](https://blog.trailofbits.com/2025/09/03/subverting-code-integrity-checks-to-locally-backdoor-signal-1password-slack-and-more/) - [Electron fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) - [Electron ASAR integrity](https://www.electronjs.org/docs/latest/tutorial/asar-integrity) @@ -633,7 +624,6 @@ Detection and mitigations - [Loki C2](https://github.com/boku7/Loki/) - [Chromium: Disable loading of unsigned code (CIG)](https://chromium.googlesource.com/chromium/src/+/refs/heads/lkgr/docs/design/sandbox.md#disable-loading-of-unsigned-code-cig) - [Chrome security FAQ: physically local attacks out of scope](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/faq.md#why-arent-physically_local-attacks-in-chromes-threat-model) - - [https://shabarkin.medium.com/unsafe-content-loading-electron-js-76296b6ac028](https://shabarkin.medium.com/unsafe-content-loading-electron-js-76296b6ac028) - [https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d](https://medium.com/@renwa/facebook-messenger-desktop-app-arbitrary-file-read-db2374550f6d) - [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=8](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=8)