Vulnerability to Process Injection in Electron-Builder Applications

[sivanovvv]

• Electron-Builder Version: 22.10.5
• Node Version: 16.14.2
• Electron Version: 13.6.9
• Electron Type (current, beta, nightly): Stable
• Target: Windows

Issue Description

Issue: Vulnerability to Process Injection in Electron-Builder Applications

Description: It has been observed that applications built with Electron Builder are susceptible to process injection, a method that enables the execution of arbitrary code within the address space of a separate live process. This can potentially grant unauthorized access to the process's memory, system/network resources, and potentially elevate privileges.

Impact: Successful exploitation of this vulnerability could lead to client-side command injection or code execution, allowing an attacker to gain full access to the victim's machine. Specifically, applications built with electron-builder are vulnerable to a process injection attack that grants the attacker a reverse shell.

Steps to Reproduce:

1. Open the application and identify a process ID (e.g., PID=7088).
2. Copy the process injection executable to the machine where the application is installed. This executable injects malicious code, providing the attacker with command prompt access to the application machine.
3. Execute the payload by passing the target PID as a parameter. This action successfully executes the malicious code.
4. The malicious code is triggered, and the attacker's machine gains command prompt access to the application machine.

Expected Behavior: To address this vulnerability, it is recommended to implement Control Flow Guard, Signature, Load, and Dynamic Code policies. These measures can enhance the security posture of applications built using Electron Builder and mitigate the risk of process injection attacks.

[lwahonen]

Let me get this straight:

If execute a program on your target's computer (Step 3), you can execute code on your target's computer?

Executing code can lead to code execution?

[DVD1999]

Hi @lwahonen,

I do have the same issue with this.

"If execute a program on your target's computer (Step 3), you can execute code on your target's computer? Executing code can lead to code execution?"

For the Process injection, malicious code is already in memory and the result leads to Thick client potential denial of service or potential access to elevated privileges on the machine.

It is recommended to implement Signature, Load, and Dynamic Code policies. nb: Control Flow Guard seems to be implemented already.

[aynofal-miro]

@DVD1999 Was wondering what you mean by Control Flow Guard seeming to be implemented? As I don't see it enabled on the executable bundled by electron builder.

[DVD1999]

@aynofal-miro Thanks a lot for addressing this issue. I stand corrected, Pls see the image attached. There're 2 32-bit executables from Electron Builder package with no ControlFlowGuard implementation: the elevate.exe and the Uninstaller...

Questions: Why are they 32-bit still? If they stay so, could ControlFlowGuard be set properly for them?

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[mmaietta]

I took a look for makensis (I think that's for uninstaller?) and elevate.exe that you're referring to, they're located here https://github.com/electron-userland/electron-builder-binaries/tree/master/nsis

They're very old files, so the new security-enhanced versions you're describing (Signature, Load, and Dynamic Code policies) probably require a PR submitted there before I can do anything within electron-builder (I don't have management rights on the other electron-userland repos)

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.