A presentation at Bi0s Meetups 7 in in Bengaluru, Karnataka, India by Rohit Narayanan M
From Code to Compromise: The Hidden Risks in Electron.JS A Lu513n rant August | 2024
● More than 150 million users ● Cross-platform ● Chromium + Node Js ● Released in 2013 Introduction
Rohit Narayanan M Security Engineer @ Traboda Cyberlabs 4+ years in web security CTF Player @ team bi0s Le Lu513n
● Chrome for Front-end ● Node for backend ● Large Patch gap Multi-process architecture ○ - Main process ○ - Renderer processes ○ - IPC More on Electron
https://www.electronjs.org/blog/webview2 Architecture Architecture
main.js preload.js InterProcessCommunication IPC
main.js Configuration Configuration
nodeIntegration nodeIntegration
nodeIntegrationInSubFrames nodeIntegration
preload.js
contextIsolation contextIsolation
Same as chrome sandbox sandbox
● Runs in a sandboxed renderer, preventing access to the system level calls ● Adds an IPC to broker the calls sandbox
● PDF.js XSS - CVE-2024-4367 ● IPC Misconfiguration in preload.js ● Improper checks in main.js Evernote RCE
https://0reg.dev/blog/evernote-rce
https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/ JavaScript-based PDF viewer maintained by Mozilla. Vuln - eval called when compiling glyphs. PDF.js XSS
preload.js main.js Evernote Demo RCE
Final Exploit Demo
Demo Video
● Mitigate XSS ● Security options when creating electron windows ● Upgrade electron regularly ● IPC handler configuration Don’t Check
THANK YOU Connect with me on x.com/Lu513n
The following resources were mentioned during the presentation or are useful additional information.
for free. You
can too.