From Code to Compromise: The Hidden Risks in Electron.JS A Lu513n rant August | 2024

● More than 150 million users ● Cross-platform ● Chromium + Node Js ● Released in 2013 Introduction

Rohit Narayanan M Security Engineer @ Traboda Cyberlabs 4+ years in web security CTF Player @ team bi0s Le Lu513n

● Chrome for Front-end ● Node for backend ● Large Patch gap Multi-process architecture ○ - Main process ○ - Renderer processes ○ - IPC More on Electron

https://www.electronjs.org/blog/webview2 Architecture Architecture

main.js preload.js InterProcessCommunication IPC

main.js Configuration Configuration

nodeIntegration nodeIntegration

nodeIntegrationInSubFrames nodeIntegration

preload.js

  • Script that is executed before renderer - Access to limited node JS APIs Preload

contextIsolation contextIsolation

Same as chrome sandbox sandbox

● Runs in a sandboxed renderer, preventing access to the system level calls ● Adds an IPC to broker the calls sandbox

● PDF.js XSS - CVE-2024-4367 ● IPC Misconfiguration in preload.js ● Improper checks in main.js Evernote RCE

https://0reg.dev/blog/evernote-rce

https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/ JavaScript-based PDF viewer maintained by Mozilla. Vuln - eval called when compiling glyphs. PDF.js XSS

preload.js main.js Evernote Demo RCE

Final Exploit Demo

Demo Video

● Mitigate XSS ● Security options when creating electron windows ● Upgrade electron regularly ● IPC handler configuration Don’t Check

THANK YOU Connect with me on x.com/Lu513n