Remote Code Execution Through Cross-Site Scripting In Electron Apps
How to execute a Remote Code Execution attack through an XSS payload in Electron Apps
Héctor Alejandro Martos Gómez
CVE-2020–35717 — RCE through XSS in zonote Electron App
For those unfamiliar with the term, CVE stands for Common Vulnerability and Exposure. Each CVE record contains a standard identifier, a brief description, and references to related vulnerability reports and advisories. MITRE corporation keeps a list of records with all publicly disclosed vulnerabilities that is free for use.
The CVE list feeds the U.S. National Vulnerability Database (NVD) which also provides a score for each CVE. This score (called CVSS) is divided into three categories —Base, Temporal, and Environmental— and defines the impact of the vulnerability.
zonote is a cross-platform desktop note-taking app. Although the most basic use is saving a simple text note, you can use Markdown code or embed any kind of HTML.
This last fact made me think if zonote would be vulnerable to Cross-Site Scripting. Cross-Site Scripting or XSS is one of the most frequent vulnerabilities in web applications, and it’s ranked 7th of OWASP Top 10 Web Application Security Risks.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
There are a lot of references on the Internet where you can find XSS payloads, so it’s a really simple attack to carry out.
// Simple XSS payload
To test if zonote was vulnerable to this kind of attack, I created a new note and inserted one of my favorite XSS payloads, which executes some code when the user hovers a link.
Escalating the XSS attack to a Remote Code Execution attack
The first question that came to my mind after this discovery was:
Is this such a big issue?
For sure it’s an issue, but XSS attacks are very common, and their power is usually limited to the scope that they are executed on. But zonote is an Electron app, and as pointed out in the Electron security documentation:
A cross-site-scripting (XSS) attack is more dangerous if an attacker can jump out of the renderer process and execute code on the user’s computer.
Disabling Node.js integration helps prevent an XSS from being escalated into a so-called “Remote Code Execution” (RCE) attack.
So this could be even more harmful if Node.js integration is enabled. As I had access to the code, it was trivial to search for the property nodeIntegration.
After confirming that the Node.js integration was enabled, I could slightly modify the previous XSS payload to require the shell module in Electron and see the list of exposed methods.
At this point, we have confirmed that access to the Node.js API through XSS was possible. As a simple Proof of Concept of the Remote Code Execution, we can open the Calculator app.
Finally, to confirm that the vulnerability was exploitable cross-platform I just exported a note with an XSS payload to open the Windows calculator and imported it into a Windows OS.
Impact of the vulnerability
The XSS payload used for demonstration purposes requires user interaction to get executed, but we could use another payload that gets executed as soon as the note is processed.
We have opened the calculator application as a PoC for the Remote Code Execution, but we could execute a payload to obtain remote access to the victim’s system. Therefore, the impact on confidentiality, integrity, and availability of this vulnerability should be considered as high.
- 2020–12–26 Issue discovered and contact with the owner
- 2020–12–26 Owner express his intention of not maintaining the repository nor fixing the vulnerability
- 2020–12–26 Reserved CVE identifier CVE-2020–35717
- 2021–01–01 Public disclosure of the vulnerability
Originally published here.
Héctor Alejandro Martos Gómez
Software Engineer. Curious and passionate Ethical Hacker. Believer in open-source philosophy. Learn by mistake, teach by example. https://hmartos.github.io