Electron is an open source library developed by GitHub for building cross-platform desktop applications with HTML, CSS, and JavaScript. Electron accomplishes this by combining Chromium and Node.js into a single runtime and apps can be packaged for Mac, Windows, and Linux.
On Windows, if an application developed by Electron registers a Protocol Handler (allowing the user to call the application in the browser), a parameter injection vulnerability may occur and eventually cause remote code vulnerability on the user side.
Reference link:Electron < v1.8.2-beta.4 远程命令执行漏洞—【CVE-2018-1000006】
Execute the following commands to compile an vulnerability application:
docker-compose run -e ARCH=64 --rm electron
Because the software needs to run on the Windows platform, it is necessary to set the value of the ARCH to the number of bits of the platform: 32 or 64.
After the compilation completed, execute the following command to run the web service:
docker-compose run --rm -p 8080:80 web
Now, accesshttp://your-ip:8080/You can see the POC page.
First, on the POC page, click on the first link and download the compiled software vulhub-app.tar.gz. After the download is complete, extract it and run it once:
This time the Protocol Handler will be registered.
Then, go back to the POC page and click on the second link. The target software and calculator will pop up:
If fails, it may be browser's reason. After testing, the new Chrome browser will call vulhub-app when it clicks on the POC, but it will not execute calc.exe.