Tech/Engineering

Living Off The Land (LOTL) Attack Due to Electron Fuses Misconfiguration

Vibhav Dudeja, Engineering (Product Security)

Introduction

This article highlights a potential LOTL (Living Off The Land) attack due to a misconfiguration in the Electron Fuse of the Electron Framework. The issue, present in thick client applications on Linux, Windows, and macOS platforms, allows attackers to execute arbitrary code on the affected machine.

Below, we delve into the technical details, demonstrate a proof of concept (PoC), and provide actionable guidance for developers to mitigate the risk.

Background

Electron is the most popular framework which enables developers to write cross-platform desktop applications while maintaining single code. It is currently used by many popular desktop applications including VS Code, Notion, WhatsApp, and many more.

While Electron takes care of many of the security risks by default, it is the responsibility of the developers to use the provided configurations in a secure manner.

The default configuration of Electron Fuses allows attackers to use an Electron-based application to execute commands on the host machine. The attack impacts all the platforms for which the application is developed- Windows, Linux, and MacOS.

Technical Details

Electron Fuses make it possible to disable certain features for an entire application built with the Electron Framework which are not needed and not intended to be used by the application. Currently, the following Fuses are supported in an Electron-based application.

Fuse Name

Default Value

Fuse Purpose

runAsNode

Enabled

toggles whether the ELECTRON_RUN_AS_NODE environment variable is respected or not

cookieEncryption

Disabled

toggles whether the cookie store on disk is encrypted using OS level cryptography keys or not

nodeOptions

Enabled

toggles whether the NODE_OPTIONS and NODE_EXTRA_CA_CERTS environment variables are respected or not

nodeCliInspect

Enabled

toggles whether the --inspect--inspect-brk, etc. flags are respected or not

embeddedAsarIntegrityValidation

Disabled

toggles an experimental feature on macOS that validates the content of the app.asar file when it is loaded

onlyLoadAppFromAsar

Disabled

changes the search system that Electron uses to locate your app code

loadBrowserProcessSpecificV8Snapshot

Disabled

changes which V8 snapshot file is used for the browser process

grantFileProtocolExtraPrivileges

Enabled

changes whether pages loaded from the file:// protocol are given privileges beyond what they would receive in a traditional web browser

As indicated by the purpose of these fuses, they may be needed as default values in some scenarios as per the application’s use case. However, as per the popularity and the functionality provided by the application, the application may be prone to certain risks with the default values intact. One such risk is the LOTL Attack caused by the default behavior of runAsNode Fuse.

An attacker may be able to trick a victim to run arbitrary JavaScript code on their computer using the inherited TCC (Transparency, Consent, and Control) permissions of the impacted application.

Proof of Concept

Disclaimer: Use this PoC responsibly and in authorized environments only.

For the purpose of this PoC, we use a very simple Electron-based application called Neutron, built with Electron version 33.3.0. 

LOTL-attacks-1


We can check the Fuse values and launch an attack over the impacted application using a simple node command:

lotl read fuses

      

LOTL-attacks-2


We can observe that all Fuses’ values are the default ones and this allows us to proceed with the confirmation of the vulnerability.

Let’s create a simple JavaScript code which would run if the application is vulnerable.

exploit js code


We need to set the ELECTRON_RUN_AS_NODE environment variable and run the exploit script.

LOTL-attacks-3

     

LOTL-attacks-4

     

LOTL-attacks-5


This confirms the vulnerability! We can modify the exploit script further to cause even more impact.

Remediation

The fix for the vulnerability is easy as it only involves only a configuration-related change. Also, depending on the packaging tool used, the remediation varies.

If the packaging tool supports execution of a user-defined script post the build process (for example, electron-builder), the following script can be used to fix the vulnerability.

lotl fix code


In the package.json file, the script should be mentioned in build.afterPack key.

lotl package


Otherwise, the vulnerability can be fixed by using the write command of @electron/fuses as shown below.

lotl write fuses


In order to confirm the fix, the exploit binary file can be re-run on the newly built application and the application should no longer be able to execute arbitrary code.

LOTL-attacks-6

            

LOTL-attacks-7

             

LOTL-attacks-8


Implications for Development Teams

The development teams using the Electron Framework should use the fix for this issue by default. However, it is known that if runAsNode is disabled, then process.fork in the main process will not function as expected as it depends on this environment variable to function. Instead, Utility Processes must be used, which work for many use cases where a standalone Node.js process is needed.

Hence, it is essential to perform and end-to-end performance and functional testing before releasing the fix to production.

Conclusion

Due to the nature of this vulnerability, it is necessary to address it to ensure security of the users and the data on their machines. The detection of this issue is easy and the PoC exploit code is also provided along with the remediation. Furthermore, any configuration related changes must be reviewed wisely to ensure that there is no harm done to the security posture of the application.

References