Remote Code Execution Through Cross-Site Scripting In Electron
For those unfamiliar with the term, CVE stands for Common Vulnerability and Exposure. Each CVE record contains a standard identifier, a brief description, and references to related vulnerability reports and advisories. corporation keeps a list of records with all publicly disclosed vulnerabilities that is free for use.
The CVE list feeds the U.S. National Vulnerability Database () which also provides a score for each CVE. This score (called ) is divided into three categories -Base, Temporal, and Environmental- and defines the impact of the vulnerability.
I have always wanted to submit a CVE discovered by me — Image by Unsplash
is a cross-platform desktop note-taking app. Although the most basic use is saving a simple text note, you can use Markdown code or embed any kind of HTML.
This last fact made me think if zonote would be vulnerable to Cross-Site Scripting. Cross-Site Scripting or XSS is one of the most frequent vulnerabilities in web applications, and it’s ranked 7th of OWASP Top 10 Web Application Security Risks.
An XSS attack consists of the execution of arbitrary JavaScript code injected by an attacker, and the OWASP definition is the following:
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Exploitation
There are a lot of references on the Internet where you can find XSS payloads, so it’s a really simple attack to carry out.
To test if zonote was vulnerable to this kind of attack, I created a new note and inserted one of my favorite XSS payloads, which executes some code when the user hovers a link.
The alert inside the XSS payload was successfully executed, confirming that zonote was vulnerable to XSS attacks
Escalating the XSS attack to a Remote Code Execution attack
The first question that came to my mind after this discovery was:
Is this such a big issue?
For sure it’s an issue, but XSS attacks are very common, and their power is usually limited to the scope that they are executed on. But zonote is an Electron app, and as pointed out in the Electron security documentation:
A cross-site-scripting (XSS) attack is more dangerous if an attacker can jump out of the renderer process and execute code on the user’s computer.
Disabling Node.js integration helps prevent an XSS from being escalated into a so-called “Remote Code Execution” (RCE) attack.
So this could be even more harmful if Node.js integration is enabled. As I had access to the code, it was trivial to search for the property nodeIntegration.
The property that allows full access to the Node.js API was set to true, opening the door to Remote Code Execution
After confirming that the Node.js integration was enabled, I could slightly modify the previous XSS payload to require the module in Electron and see the list of exposed methods.
At this point, we have confirmed that access to the Node.js API through XSS was possible. As a simple Proof of Concept of the Remote Code Execution, we can open the Calculator app.
Finally, to confirm that the vulnerability was exploitable cross-platform I just exported a note with an XSS payload to open the Windows calculator and imported it into a Windows OS.
Impact of the vulnerability
The XSS payload used for demonstration purposes requires user interaction to get executed, but we could use another payload that gets executed as soon as the note is processed.
We have opened the calculator application as a PoC for the Remote Code Execution, but we could execute a payload to obtain remote access to the victim’s system. Therefore, the impact on confidentiality, integrity, and availability of this vulnerability should be considered as high.
Disclosure timeline
- 2020–12–26 Issue discovered and contact with the owner
- 2020–12–26 Owner express his intention of not maintaining the repository nor fixing the vulnerability
- 2020–12–26 Reserved CVE identifier CVE-2020–35717
- 2021–01–01 Public disclosure of the vulnerability
Originally published at https://medium.com on January 5, 2021.
