Breaking Barriers: Using XSS to Achieve RCE

Aden Yap Chuen Zhen, Ali Radzali

Electron is a free and open-source software framework developed and maintained by OpenJS Foundation. The framework is designed to create desktop applications using web technologies that are rendered using a version of the Chromium browser engine and a back end using the Node.js runtime environment. To mitigate the vulnerability, “NodeIntegration” function was set to default false on all Electron Frameworks starting from version 5.0.0, which means the renderer process does not have access to the Node.js APIs. Similarly, the “nodeIntegrationInWorker” option is also by default set to false, so that Electron Web Workers do not have access to the Node.js APIs. This helps prevent malicious code from executing in the renderer process and accessing sensitive system resource. If the developer still requires the “NodeIntegration” to be enabled, they will need to explicitly enable it in Electron Node.js configuration. BAE Systems security researchers was able to identify dozens of misconfigured apps written using Electron framework that are publicly available on the Internet, these misconfigurations could potentially lead to RCE if a simple XSS vulnerability was present. BAE Systems security researchers will demonstrate techniques used to exploit these vulnerabilities to achieve RCE by chaining a simple XSS bug. Some of these vulnerabilities are Pre-auth (no authentication required), thus can be easily exploited in the wild without user interaction (zero-click). At the time of writing, BAE Systems security researchers had found 3 0-days in popular apps hosted on Github, these apps are widely used on the Internet and are easily exploitable via our zero click exploit that we had developed.

Speaker's Bio

Aden is a penetration tester with BAE Systems based in Malaysia and has 6 years of experience in the field of Cybersecurity. He is responsible for delivering red teaming exercise and various penetration testing for numerous industries and reported critical vulnerabilities in their application and infrastructure. He holds CRTO, OSCP, CREST-CRT, CEH and industry certifications. Apart from projects, He also contributed in bug bounty program for health and financial industries and vulnerability research program for internet spaces.