Discord has patched a crucial subject within the desktop model of the messaging app which left customers susceptible to distant code execution (RCE) assaults.
Bug bounty hunter Masato Kinugawa developed an exploit chain resulting in RCE a number of months in the past and revealed a blog post over the weekend describing the technical particulars of the tactic, which mixes a number of bugs.
The primary safety subject was present in Electron, the software program framework utilized by the Discord desktop app. Whereas the desktop app shouldn’t be open supply, the JavaScript code utilized by Electron — an open supply challenge for creating cross-platform apps capable of harness JavaScript, HTML, and CSS — was saved regionally and might be extracted and examined.
See additionally: Hackers exploit Home windows Error Reporting service in new fileless assault
One of many settings in Discord’s Electron construct, “contextIsolation,” was set to false, and this might enable JavaScript code exterior of the app to affect inner code, such because the Node.js perform. The function was designed to introduce separate contexts between net pages and JavaScript code.
“This conduct is harmful as a result of Electron permits the JavaScript code exterior net pages to make use of the Node.js options regardless [of] the nodeIntegration possibility and by interfering with them from the perform overridden within the net web page, it might be doable to attain RCE even when the nodeIntegration is ready to false,” Kinugawa defined.
Now, the researcher wanted a strategy to execute JavaScript on the applying, resulting in the invention of a cross-site scripting (XSS) subject within the iframe embed function, used to show video in chat when a URL is posted, comparable to one from YouTube.
This led Kinugawa to Sketchfab, a 3D content material viewer. Sketchfab is whitelisted in Discord’s content material safety coverage and could be embedded within the iframe — however a DOM-based XSS found within the embeds web page might be abused.
CNET: Best password manager to use for 2020: 1Password, LastPass and more compared
Nevertheless, this solely allowed the bug bounty hunter to execute JavaScript within the iframe, and so it nonetheless wasn’t doable to attain full RCE on the Discord desktop app. Not less than, not till Kinugawa got here throughout a navigation restriction bypass in Electron’s “will-navigate” occasion code.
Tracked as CVE-2020-15174, this processing error, mixed with the opposite two vulnerabilities, allowed Kinugawa to carry out an RCE assault by circumventing navigation restrictions and utilizing the iframe XSS bug to entry an internet web page containing the RCE payload.
Kinugawa reported his findings by way of Discord’s Bug Bounty program. After the Discord crew triaged the bugs and confirmed their validity, the builders disabled the Sketchfab embeds and added a sandbox attribute to the iframe.
TechRepublic: Professor creates cybersecurity camp to inspire girls to choose STEM careers
“After some time, the contextIsolation was enabled,” the bug bounty hunter added. “Now even when I may execute arbitrary JavaScript on the app, RCE doesn’t happen by way of the overridden JavaScript built-in strategies.”
Kinugawa was awarded $5,000 for his report by Discord, alongside $300 by the Sketchfab crew for the disclosure of the XSS flaw, now patched. Electron’s “will-navigate” subject has additionally been resolved.
ZDNet has reached out to Discord and can replace once we hear again.
Earlier and associated protection
Have a tip? Get in contact securely by way of WhatsApp | Sign at +447713 025 499, or over at Keybase: charlie0
from WordPress https://ift.tt/37j7msP
via IFTTT
0 Comments