Home

Awesome

Electron Research

Title: TBA

Intro

The following research will be published in an upcoming conference.

During the end of prototype pollution research, BlackFan and I came across a Prototype Pollution XSS in a web application that has a Desktop Application using ~Electron. So, I tried to escalate it to Remote Code Execution in the Desktop App and eventually I was able to get Remote Code Execution. Eventually, Prototype Pollution research came to an end, and started working on Electron Application and I think the research turned out pretty well.

Stats

The number of Applications Pwned: 18

The number of times Applications Pwned: 23

Applications Pwned

ApplicationDescriptionLink to Blog/AdvisoryCVE
Discord---
VSCode-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43908CVE-2021-43908
Rocket.chat-https://ssd-disclosure.com/ssd-advisory-rocket-chat-client-side-remote-code-execution/-
Element-https://github.com/vector-im/element-desktop/security/advisories/GHSA-mjrg-9f8r-h3m7CVE-2022-23597
Microsoft TeamsFile Read--

More Apps and Description, will be updated after the presenting at a conference

Research Publishing Team

Mohan Sri Rama Krishna P (s1r1us)

William Bowling (vakzz)

Max Garrett (TheGrandPew)

Aaditya Purani (knapstack)

Collabarators

Yudaii (ptr-yudai)

Sergey Bobrov (Black2Fan)

Masato Kinugawa (kinugawamasato)

Harsh Jaiswal (rootxharsh)

Terjanq (terjanq)