Skip to content

Instantly share code, notes, and snippets.

@lukechilds

lukechilds/agama-vuln-rce.md Secret

Last active March 15, 2018 11:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lukechilds/34f117120611a5bfa81606501cb1ddf2 to your computer and use it in GitHub Desktop.
Save lukechilds/34f117120611a5bfa81606501cb1ddf2 to your computer and use it in GitHub Desktop.
Download ZIP
Agama Remote Code Execution Vulnerability
Raw
agama-vuln-rce.md

Agama Remote Code Execution Vulnerability

When working with Electron, it is important to understand that Electron is not a web browser. It allows you to build feature-rich desktop applications with familiar web technologies, but your code wields much greater power. JavaScript can access the filesystem, user shell, and more. This allows you to build high quality native applications, but the inherent security risks scale with the additional powers granted to your code.

With that in mind, you should never ever load links to external websites inside the Electron context.

The Vulnerability

Agama opens links to:

These are all opened inside the Electron context.

There may be more links but those were the only ones I found.

This means any of those sites can gain access to the electron module and use it's remote.require functionality to require native Node.js modules and communicate with the main Node.js process via IPC. It could then require the Node.js child_process module and use this to issue shell commands to the operating system.

It's just a single line of code:

> require('electron').remote.require('child_process').execSync('cat /etc/passwd').toString()
`root:!:0:0::/:/usr/bin/bash
alice:!:1:1::/usr/bin/bash:
bin:!:2:2::/usr/bin/bash:`

This includes third party JavaScript for ads and analytics etc, any JavaScript running on any of those remote sites has full access to the users machine. They can install backdoors, key loggers, steal keys, look for other wallet files, anything.

For example, here is a screenshot of some JavaScript running in the context of the https://sprnt.slack.com popup window and running arbtirary shell commands on my machine.

The Solution

All external websites should be opened in the default browser by the operating system.

Also, the Electron security documentation is well worth a read, it explains how you can prevent vulnerabilities such as this: https://github.com/electron/electron/blob/master/docs/tutorial/security.md

@lukechilds
Copy link
Author

Fixed in this PR: KomodoPlatform/EasyDEX-GUI#35

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment