infamous shell.openExternal
: opens an application based on URI and filetype association.
when exposed to the renderer, remote.app
allows the renderer processs to access APIs normally only available in the main process (this module will be deprecated in E 12 and removed in E 14)
Many of the functions exposed by this object can be easily abused, including but not limited to:
- app.relaunch([options]) Relaunches the app when current instance exits.
- app.setAppLogsPath([path]) Sets or creates a directory your app’s logs which can then be manipulated with app.getPath() or app.setPath(pathName, newPath).
- app.setAsDefaultProtocolClient(protocol[, path, args]) Sets the current executable as the default handler for a specified protocol.
- app.setUserTasks(tasks) Adds tasks to the Tasks category of the Jump List (Windows only).
- app.importCertificate(options, callback) Imports the certificate in pkcs12 format into the platform certificate store (Linux only).
- app.moveToApplicationsFolder([options]) Move the application to the default Application folder (Mac only).
- app.setJumpList(categories) Sets or removes a custom Jump List for the application (Windows only).
- app.setLoginItemSettings(settings) Sets executables to launch at login with their options (Mac, Windows only).
can be abused to leak information about the user's behavior, operating system activity, and usage patterns
subscribeNotification
and subscribeWorkspaceNotification
: can be used to subscribe to native notifications of macOS
getUserDefault
: returns the value of a key in NSUserDefaults on macOS (can return global or application preferences)
setUserDefault
: sets user's defaults for application preferences related to the target application on macOS
Shell.showItemInFolder
:
- on Linux, if the folder path can be replaced with an arbitrary executable file, the attacker could win the inherent TOCTOU race condition and execute the file.
- on older Windows systems,
ShellExecute
is used as a fallback--specifying "open" as thelpVerb
parameter--which launches an executable or a file's associated application
https://github.com/doyensec/electronegativity
hacking electron:
- https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf
vulnerabilities: