New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Arbitrary filesystem manipulation vulnerability introduced by IPC exposure #2143
Comments
Thanks for your heads up. We'll have a look. |
To better understand the impact of what you've found, could you provide us a few more details on the following:
The way we secured the app is that it does not allow any remote scripts to be opened, no unsafe scripts to be evaluated, no remote sites to be browsed. Could you elaborate how a remote attacker is able to exploit that issue?
Regarding the solutions you mentioned, do you have any concrete examples how these mitigate the risk? Any patterns / best practices you have in mind? |
For the first question: For the second question: |
We take our applications security seriously, follow Electron security best practices and carefully examine the impact of reported vulnerabilities. So thanks again for approaching us and getting back in a timely manner. Your bug report explicitly states that arbitrary file system manipulation is possible by remote attackers / when rendering untrusted pages in the render process. We validated our initial assessment and can confirm that this is not the case. As mentioned only trusted content is being loaded into the render process. Measures outlined by the Electron security best practices prevent any untrusted websites or scripts from being opened, included or accessed. Any break in that trust model (XSS, include of a remote resource) is a serious security thread that we will handle with care. We will consider actions to further harden the security as you suggested. Our app is an editor for local files and accessing arbitrary files is a feature. We cannot get rid of file system access easily, unfortunately. |
This prevents using `window.getAppPreload` by other code than the application. Thus, only the application has access to the IPCRenderer and can decide which APIs it provides. Closes #2143. Related to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28154
This prevents using `window.getAppPreload` by other code than the application. Thus, only the application has access to the IPCRenderer and can decide which APIs it provides. Closes #2143. Related to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28154
This prevents using `window.getAppPreload` by other code than the application. Thus, only the application has access to the IPCRenderer and can decide which APIs it provides. Closes #2143. Related to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28154
With #2155, we remove the access to |
Describe the Bug
Hi,
Great work!
We did a security analysis and found that
app/lib/preload.js
directly expose risky ipcRenderer instance to unsafe renderer process, which enables a remote attacker to abuse sensitive methods in the main process by crafting malicious ipc message.I notice that the app has already disabled node integration in unsafe renderers(92ba66d), which is good. However, such direct IPC export may re-expose many sensitive primitives to the attacker.
Here is the exposure site.
camunda-modeler/app/lib/preload.js
Lines 27 to 37 in a587434
By sending a message to
file:write
channel. The attacker may read and write malicious content to the user filesystem.camunda-modeler/app/lib/index.js
Lines 186 to 194 in 6f1497c
Expected Behavior
I could think of two possible solutions:
ipcRenderer
to untrusted domains.Ref. CVE-2021-28154
The text was updated successfully, but these errors were encountered: