Shulou(Shulou.com)06/01 Report--

Electron is an open source framework composed of node.js,V8 and Chromium, which has been widely used in process desktop applications, including Github desktop, WordPress, etc.; researchers have found that through misconfiguration, malicious applications will be allowed to access Node.js API and modules and abuse more operating system features.

Security experts have identified a vulnerability in the Electron software framework that has been used to build a large number of popular desktop applications. Popular desktop applications (including Skype,Slack,GitHub desktops, Twitch,WordPress.com, etc.) may be affected.

Electron framework is an open source framework composed of node.js,V8 and Chromium.

Electron is an open source framework for node.js,V8 and Chromium that allows developers to build desktop applications using Web technologies such as JavaScript,HTML and CSS. When building applications based on the Electron framework, developers can choose between Electron API or Node.js API and its modules. Node.js API and built-in modules provide developers with broader integration with the operating system and allow access to more operating system functions.

To prevent abuse of operating system functionality, the Electron team created a mechanism to prevent applications based on its framework from being attacked.

"Electronic applications are essentially web applications, which means they are vulnerable to cross-site scripting attacks because user-supplied input is not properly cleaned up. The default Electron application includes not only access to its own API, but also built-in modules to access all Node.js." Read the analysis published by Trustwave. "this makes XSS particularly dangerous because the attacker's payload allows you to perform annoying things, such as requiring and executing system commands on the client side in the child_process module."

Setting the "webviewTag:false" option in the Election framework can cause XSS vulnerabilities

Applications running HTML and JS code on the desktop have the "nodeIntegration:false" option enabled by default, which means that access to Node.js API and modules is disabled by default.

The page view tag feature allows you to develop embedded content, such as web pages, for electronic applications and run it as a separate process.

Through analysis:

When using the WebView tag, you can also pass in a number of attributes, including nodeIntegration. The WebView container does not enable nodeIntegration by default.

When webviewTag in the webPreferences configuration file is set to false, nodeIngration is also set to false, but if the developer does not declare webviewTag, the Electron application sets nodeIntegration to false.

Researcher Brendan Scarvell found that the nodeIntegration option could be set to "true", which would allow malicious applications to access Node.js API and modules and abuse more operating system features.

Scarvell explained that if developers of Electron-based applications do not specifically set the "webviewTag:false" option in the webPreferences configuration file, attackers can take advantage of a cross-site scripting (XSS) vulnerability within the application to create a new WebView component window to change the setting and set the nodeIngration flag to "true".

Solutions to XSS (Cross-site scripting attacks) vulnerabilities

The expert released POC, which allows attackers to exploit any XSS vulnerability and access the underlying operating system.

"if an Electron application with the nodeIntegration option disabled is found to contain XSS vulnerabilities through poor cleanup of user input or vulnerabilities in other dependencies of the application, the above proof of concept can allow remote code execution if the application is using a vulnerable version of Electron (version)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.