Skip to content

Instantly share code, notes, and snippets.

@alexiasa

alexiasa/electron.md

Created April 28, 2021 03:34
Show Gist options
  • Save alexiasa/8240416b5ec4978ee2f7a9120b6a96e3 to your computer and use it in GitHub Desktop.
Save alexiasa/8240416b5ec4978ee2f7a9120b6a96e3 to your computer and use it in GitHub Desktop.
Download ZIP
notes about hacking electron apps
Raw
electron.md

notes about hacking electron applications

infamous shell.openExternal: opens an application based on URI and filetype association.

commonly-abused APIs

remote.app

when exposed to the renderer, remote.app allows the renderer processs to access APIs normally only available in the main process (this module will be deprecated in E 12 and removed in E 14)

Many of the functions exposed by this object can be easily abused, including but not limited to:

  • app.relaunch([options]) Relaunches the app when current instance exits.
  • app.setAppLogsPath([path]) Sets or creates a directory your app’s logs which can then be manipulated with app.getPath() or app.setPath(pathName, newPath).
  • app.setAsDefaultProtocolClient(protocol[, path, args]) Sets the current executable as the default handler for a specified protocol.
  • app.setUserTasks(tasks) Adds tasks to the Tasks category of the Jump List (Windows only).
  • app.importCertificate(options, callback) Imports the certificate in pkcs12 format into the platform certificate store (Linux only).
  • app.moveToApplicationsFolder([options]) Move the application to the default Application folder (Mac only).
  • app.setJumpList(categories) Sets or removes a custom Jump List for the application (Windows only).
  • app.setLoginItemSettings(settings) Sets executables to launch at login with their options (Mac, Windows only).

systemPreferences

can be abused to leak information about the user's behavior, operating system activity, and usage patterns

subscribeNotification and subscribeWorkspaceNotification: can be used to subscribe to native notifications of macOS

getUserDefault: returns the value of a key in NSUserDefaults on macOS (can return global or application preferences) setUserDefault: sets user's defaults for application preferences related to the target application on macOS

Shell.showItemInFolder:

  • on Linux, if the folder path can be replaced with an arbitrary executable file, the attacker could win the inherent TOCTOU race condition and execute the file.
  • on older Windows systems, ShellExecute is used as a fallback--specifying "open" as the lpVerb parameter--which launches an executable or a file's associated application

tools

https://github.com/doyensec/electronegativity

reading

hacking electron:

vulnerabilities:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment