Electron Remote Code Execution Vulnerability(CVE-2018-1000006)

中文版本(Chinese version)

Electron is an open source library developed by GitHub for building cross-platform desktop applications with HTML, CSS, and JavaScript. Electron accomplishes this by combining Chromium and Node.js into a single runtime and apps can be packaged for Mac, Windows, and Linux.

On Windows, if an application developed by Electron registers a Protocol Handler (allowing the user to call the application in the browser), a parameter injection vulnerability may occur and eventually cause remote code vulnerability on the user side.

Reference link:Electron < v1.8.2-beta.4 远程命令执行漏洞—【CVE-2018-1000006】

Setup

Execute the following commands to compile an vulnerability application:

docker-compose run -e ARCH=64 --rm electron

Because the software needs to run on the Windows platform, it is necessary to set the value of the ARCH to the number of bits of the platform: 32 or 64.

After the compilation completed, execute the following command to run the web service:

docker-compose run --rm -p 8080:80 web

Now, accesshttp://your-ip:8080/You can see the POC page.

Exploit

First, on the POC page, click on the first link and download the compiled software vulhub-app.tar.gz. After the download is complete, extract it and run it once:

This time the Protocol Handler will be registered.

Then, go back to the POC page and click on the second link. The target software and calculator will pop up:

If fails, it may be browser's reason. After testing, the new Chrome browser will call vulhub-app when it clicks on the POC, but it will not execute calc.exe.

Copied From: vulhub/electron/CVE-2018-1000006