![]() ![]() “This will prevent them creating top-frame navigations and is good practice anyway,” they explained. In lieu of applying updates, Electron’s security team advised users to sandbox all iframes using the sandbox attribute. Updates and mitigationĪfter being alerted to the flaws, the Discord security team disabled Sketchfab embeds and enabled contextIsolation, while Sketchfab fixed the XSS quickly, said Kinugawa.Ī security advisory published on GitHub on October 5 announced the release of new versions of Electron NPM – 11.0.0-beta.1, 10.0.1, 9.3.0, 8.5.1 – that patched the navigation restriction bypass ( CVE-2020-15174). He duly bypassed the navigation restriction to achieve RCE by navigating to the page containing the RCE code with the iframe’s XSS. This was possible because the code designed to prevent such actions failed to do so, since the iframe failed to trigger a will-navigate event from the top navigation. However, Electron doesn’t load internal JavaScript renderer code into the iframe, so “even if I override the JavaScript built-in methods on the iframe, I can’t interfere with the Node.js’ critical parts”, Kinugawa explained.Īchieving RCE therefore required the execution of JavaScript in a “top-level browsing context” by “opening a new window from the iframe or navigating the top window to another URL from the iframe”. ![]() One by one, the researcher checked whether potentially compatible services – as gauged from Discord’s CSP frame-src directive – could be embedded in the iframe and discovered that, one, Sketchfab had “a simple DOM-based XSS in the footnote of the 3D model”.Īfter posting a malicious URL to a Discord chat, the 3D model viewer was embedded into the iframe, a “few clicks” on which then executed arbitrary JavaScript. The researcher subsequently achieved XSS by abusing Discord’s iframe embeds feature, which embeds rich content from compatible platforms, such as YouTube, Twitch or Spotify, when URLs are pasted into third-party HTML pages. He then “found a code where RCE can be achieved by overriding the JavaScript built-in methods and interfering with the execution of the exposed module”. ![]() ![]() Switching his focus to preload scripts, he found that Discord exposes a function that allows some permitted modules to be called (via ('MODULE-NAME')) into the web page. Kinugawa then deployed a technique for achieving RCE that he had outlined in a 2018 presentation to no avail. RELATED Discord users warned over QR code login scam that can result in pwned accounts However, the researcher discovered that this option was disabled, meaning that “a web page’s JavaScript can affect the execution of the Electron’s internal JavaScript code on the renderer, and preload scripts”. This should have precluded RCE courtesy of contextIsolation, introduced by Electron in response to a 2016 Cure53 penetration test to which Kinugawa contributed. The three-stage research process, which Kinugawa has documented in a blog post published yesterday (October 18, also available in Japanese), began with efforts to execute arbitrary JavaScript on Discord by first checking the BrowserWindow API options.īecause nodeIntegration was false in Discord's main window, the researcher couldn’t call require() directly in order to use Node.js features. Japanese researcher Masato Kinugawa was awarded $5,000 by Discord and $300 by Sketchfab through the platforms’ respective bug bounty programs. It also leveraged a cross-site scripting (XSS) flaw in the implementation of iframe embeds on 3D viewing platform Sketchfab, along with a navigation restriction bypass in Electron.ĭiscord, whose client is built on the Electron framework, is an instant messaging and VoIP application with more than 100 million active monthly users. The exploit (demonstrated in this video) capitalized on the fact that Discord had disabled the RCE-blocking contextIsolation option in Electron. A security researcher has achieved remote code execution (RCE) on Discord’s desktop application by chaining a trio of security vulnerabilities. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |