Electron WebPreferences - Remote Code Execution

EDB-ID:

45272




Platform:

Multiple

Date:

2018-08-27


CVE-2018-15685 - Electron WebPreferences Remote Code Execution
This is a minimal Electron application with a POC for CVE-2018-15685.

A remote code execution vulnerability has been discovered affecting apps with the ability to open nested child windows on Electron versions (3.0.0-beta.6, 2.0.7, 1.8.7, and 1.7.15). This vulnerability has been assigned the CVE identifier CVE-2018-15685.

For more information see my full write up on the Contrast Security blog (https://www.contrastsecurity.com/security-influencers/cve-2018-15685) or the write up on the offical blog from Electron (https://electronjs.org/blog/web-preferences-fix)

The project contains the fillowing files:

main.js - This is the app's main process. Note this has nodeIntegration disabled so it should not be possibe use "process"
index.html - This is an example rendered page. This could be remotely controlled URL, or a page from an application with an XSS. In this example even though it is a local file but should not have access to node bindings.
You can learn more about each of these components within the Quick Start Guide.

To Use
To clone and run this repository you'll need Git and Node.js (which comes with npm) installed on your computer. From your command line:

# Clone this repository
git clone https://github.com/matt-/CVE-2018-15685
# Go into the repository
cd CVE-2018-15685
# Install dependencies
npm install
# Run the app
npm start


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45272.zip