From Code to Compromise: The Hidden Risks in ElectronJS

A presentation at Bi0s Meetups 7 in August 2024 in Bengaluru, Karnataka, India by Rohit Narayanan M

Slide 1

From Code to Compromise: The Hidden Risks in Electron.JS A Lu513n rant August | 2024

Slide 2

● More than 150 million users ● Cross-platform ● Chromium + Node Js ● Released in 2013 Introduction

Slide 3

Rohit Narayanan M Security Engineer @ Traboda Cyberlabs 4+ years in web security CTF Player @ team bi0s Le Lu513n

Slide 4

● Chrome for Front-end ● Node for backend ● Large Patch gap Multi-process architecture ○ - Main process ○ - Renderer processes ○ - IPC More on Electron

Slide 5

https://www.electronjs.org/blog/webview2 Architecture Architecture

Slide 6

main.js preload.js InterProcessCommunication IPC

Slide 7

main.js Configuration Configuration

Slide 8

nodeIntegration nodeIntegration

Slide 9

nodeIntegrationInSubFrames nodeIntegration

Slide 10

preload.js

Script that is executed before renderer - Access to limited node JS APIs Preload

Slide 11

contextIsolation contextIsolation

Slide 12

Same as chrome sandbox sandbox

Slide 13

● Runs in a sandboxed renderer, preventing access to the system level calls ● Adds an IPC to broker the calls sandbox

Slide 14

● PDF.js XSS - CVE-2024-4367 ● IPC Misconfiguration in preload.js ● Improper checks in main.js Evernote RCE

Slide 15

https://0reg.dev/blog/evernote-rce

Slide 16

https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/ JavaScript-based PDF viewer maintained by Mozilla. Vuln - eval called when compiling glyphs. PDF.js XSS

Slide 17

preload.js main.js Evernote Demo RCE

Slide 18

Final Exploit Demo

Slide 19

Demo Video

Slide 20

Slide 21

● Mitigate XSS ● Security options when creating electron windows ● Upgrade electron regularly ● IPC handler configuration Don’t Check

Slide 22

THANK YOU Connect with me on x.com/Lu513n