Critical Vulnerability in Electron on Windows

Release Date: 29-01-2018 14:57:00

Critical Vulnerability in Electron on Windows

History:

29/01/2018 --- v1.0: Initial publication

Summary

On the 22nd of January 2018, GitHub published a fix for a remote code execution vulnerability affecting Electron applications that use custom protocol handlers [1]. An attacker could exploit the vulnerability by providing to the victim a specifically crafted link calling the custom protocol handler.

Popular applications potentially affected by the vulnerability include:

Skype
Atom
Keeper
Signal
Twitch
Github desktop
Slack
...

A complete list of Electron applications may be found in [4]. These applications are vulnerable if they use custom protocol handlers (such as myapp://).

Technical Details

The vulnerability received the following CVE: CVE-2018-1000006 [2].

Electron applications designed to run on Windows that register themselves as the default handler for a protocol can be affected regardless of how the protocol is registered, e.g., using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API.

The app.setAsDefaultProtocolClient method sets the executable as the default handler for a protocol (URI scheme such as myapp://). Once registered, all links with myapp:// will be opened with the defined executable. The whole link, including protocol and parameters, will be passed to the application as a parameter.

The vulnerability is due to the way such links are handled by the library and parsed by Chromium. A proof of concept is available in public [3]:

myapp://?--no-sandbox --gpu-launcher=cmd.exe /c start calc

Products Affected

All applications using Electron libraries before versions 1.8.2-beta.4, 1.7.11, and 1.6.16 are affected by the vulnerability if they define custom protocol handler for their application.

MacOS and Linux applications are not affected.