Potential command execution vulnerability introduced by unsafe IPC exposure

[xiaofen9]

Hi,

Great work!
We did a security analysis on the app and found that the risky ipcRenderer is directly exposed to the unsafe renderer process. This may allow remote attackers to abuse sensitive methods in the (privileged) main process by crafting malicious IPC messages.

Vulnerability Details

The following code shows how a preload script exposes IPC.

twinkle-tray/src/intro-preload.js

Line 39 in 16c4a71

window.ipc = ipc

We do find exploitable IPC endpoints. e.g.,
If the attacker sends a malicious msg to open-url channel, he may execute arbitrary commands via openExternal.

twinkle-tray/src/electron.js

Lines 1314 to 1316 in 3871712

	ipcMain.on('open-url', (event, url) => {
	require("electron").shell.openExternal(url)
	})

Mitigation

• enforce security checks when receiving events on sensitive channels (e.g., check if received URL is legal before openExternal)
• avoid directly exposing ipcRenderer to untrusted domains.

[xanderfrangos]

Thanks for the security audit. 👍 I'll get this patched up.

[abergmann]

CVE-2021-28119 was assigned to this issue.

[xanderfrangos]

v1.13.4 has been released with a fix for this potential vulnerability. I now use a pre-defined list of URLs.

I am not aware of any way that IPC could be triggered from outside of Electron, and Twinkle Tray does not load any HTML/JS from external URLs (it's all contained in the distributed ASAR). But just in case it is possible to exploit, it's been fixed. Thanks again for pointing the vulnerability out.