Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential command execution vulnerability introduced by unsafe IPC exposure #142

Closed
xiaofen9 opened this issue Mar 9, 2021 · 3 comments
Closed
Assignees

Comments

@xiaofen9
Copy link

@xiaofen9 xiaofen9 commented Mar 9, 2021

Hi,

Great work!
We did a security analysis on the app and found that the risky ipcRenderer is directly exposed to the unsafe renderer process. This may allow remote attackers to abuse sensitive methods in the (privileged) main process by crafting malicious IPC messages.

Vulnerability Details

The following code shows how a preload script exposes IPC.

window.ipc = ipc

We do find exploitable IPC endpoints. e.g.,
If the attacker sends a malicious msg to open-url channel, he may execute arbitrary commands via openExternal.

twinkle-tray/src/electron.js

Lines 1314 to 1316 in 3871712

ipcMain.on('open-url', (event, url) => {
require("electron").shell.openExternal(url)
})

Mitigation

  • enforce security checks when receiving events on sensitive channels (e.g., check if received URL is legal before openExternal)
  • avoid directly exposing ipcRenderer to untrusted domains.
@xanderfrangos
Copy link
Owner

@xanderfrangos xanderfrangos commented Mar 9, 2021

Thanks for the security audit. 👍 I'll get this patched up.

@xanderfrangos xanderfrangos self-assigned this Mar 9, 2021
xanderfrangos added a commit that referenced this issue Mar 10, 2021
@abergmann
Copy link

@abergmann abergmann commented Mar 10, 2021

CVE-2021-28119 was assigned to this issue.

@xanderfrangos
Copy link
Owner

@xanderfrangos xanderfrangos commented Mar 25, 2021

v1.13.4 has been released with a fix for this potential vulnerability. I now use a pre-defined list of URLs.

I am not aware of any way that IPC could be triggered from outside of Electron, and Twinkle Tray does not load any HTML/JS from external URLs (it's all contained in the distributed ASAR). But just in case it is possible to exploit, it's been fixed. Thanks again for pointing the vulnerability out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants