{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2018-003.pdf" }, "title": "Critical Vulnerability in Electron on Windows", "serial_number": "2018-003", "publish_date": "29-01-2018 14:57:00", "description": "On the 22nd of January 2018, GitHub published a fix for a remote code execution vulnerability affecting Electron applications that use custom protocol handlers. An attacker could exploit the vulnerability by providing to the victim a specifically crafted link calling the custom protocol handler. The vulnerability affects - among others - applications such as Skype, Slack, etc.", "url_title": "2018-003", "content_markdown": "---\ntitle: 'Critical Vulnerability in Electron on\u00a0Windows'\nversion: '1.0'\nnumber: '2018-003'\ndate: 'January 29, 2018'\n---\n\n_History:_\n\n* _29/01/2018 --- v1.0: Initial publication_\n\n# Summary\n\nOn the 22nd of January 2018, GitHub published a fix for a remote code execution vulnerability affecting Electron applications that use custom protocol handlers [1]. An attacker could exploit the vulnerability by providing to the victim a specifically crafted link calling the custom protocol handler.\n\nPopular applications potentially affected by the vulnerability include:\n\n* Skype\n* Atom\n* Keeper\n* Signal\n* Twitch\n* Github desktop\n* Slack\n* ...\n\nA complete list of Electron applications may be found in [4]. These applications are vulnerable if they use custom protocol handlers (such as `myapp://`).\n\n# Technical Details\n\nThe vulnerability received the following CVE: CVE-2018-1000006 [2].\n\nElectron applications designed to run on Windows that register themselves as the default handler for a protocol can be affected regardless of how the protocol is registered, e.g., using native code, the Windows registry, or Electron's `app.setAsDefaultProtocolClient` API.\n\nThe `app.setAsDefaultProtocolClient` method sets the executable as the default handler for a protocol (URI scheme such as `myapp://`). Once registered, all links with `myapp://` will be opened with the defined executable. The whole link, including protocol and parameters, will be passed to the application as a parameter.\n\nThe vulnerability is due to the way such links are handled by the library and parsed by Chromium. A proof of concept is available in public [3]:\n\n\tmyapp://?--no-sandbox --gpu-launcher=cmd.exe /c start calc\n\n# Products Affected\n\nAll applications using Electron libraries before versions `1.8.2-beta.4`, `1.7.11`, and `1.6.16` are affected by the vulnerability if they define custom protocol handler for their application.\n\nMacOS and Linux applications are not affected.\n\n# Recommendations\n\nApply security patches for applications using Electron libraries.\n\n# References\n\n[1] \n\n[2] \n\n[3] \n\n[4] \n", "content_html": "

History:

  • 29/01/2018 --- v1.0: Initial publication

Summary

On the 22nd of January 2018, GitHub published a fix for a remote code execution vulnerability affecting Electron applications that use custom protocol handlers [1]. An attacker could exploit the vulnerability by providing to the victim a specifically crafted link calling the custom protocol handler.

Popular applications potentially affected by the vulnerability include:

  • Skype
  • Atom
  • Keeper
  • Signal
  • Twitch
  • Github desktop
  • Slack
  • ...

A complete list of Electron applications may be found in [4]. These applications are vulnerable if they use custom protocol handlers (such as myapp://).

Technical Details

The vulnerability received the following CVE: CVE-2018-1000006 [2].

Electron applications designed to run on Windows that register themselves as the default handler for a protocol can be affected regardless of how the protocol is registered, e.g., using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API.

The app.setAsDefaultProtocolClient method sets the executable as the default handler for a protocol (URI scheme such as myapp://). Once registered, all links with myapp:// will be opened with the defined executable. The whole link, including protocol and parameters, will be passed to the application as a parameter.

The vulnerability is due to the way such links are handled by the library and parsed by Chromium. A proof of concept is available in public [3]:

myapp://?--no-sandbox --gpu-launcher=cmd.exe /c start calc\n

Products Affected

All applications using Electron libraries before versions 1.8.2-beta.4, 1.7.11, and 1.6.16 are affected by the vulnerability if they define custom protocol handler for their application.

MacOS and Linux applications are not affected.

Recommendations

Apply security patches for applications using Electron libraries.

References

[1] https://electronjs.org/blog/protocol-handler-fix

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006

[3] https://twitter.com/mattaustin/status/956282917830852608

[4] https://electronjs.org/apps

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }