CVE-2018-1000006
published 2018-01-24CVE-2018-1000006: GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron…
PriorityP276high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
84.71%
99.7th percentile
GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atom | electron | <= 1.7.10 | — |
| atom | electron | <= 1.6.15 | — |
| atom | electron | — | — |
| electron | electron | >= 0 < 1.8.2-beta5 | 1.8.2-beta5 |
| electron | electron | >= 1.6.0 < 1.6.16 | 1.6.16 |
| electron | electron | >= 1.7.0 < 1.7.11 | 1.7.11 |
| electron | electron | >= 1.8.0 < 1.8.2-beta.4 | 1.8.2-beta.4 |
| electronjs | electron | <= 1.8.1 | — |
| electronjs | electron | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect crafted URLs using the 'exodus://' custom protocol handler containing '--gpu-launcher=' argument injection, which is the core exploitation technique for CVE-2018-1000006. ↗
- →Monitor for Electron-based application processes spawning cmd.exe or powershell.exe as child processes, particularly with hidden window style flags, which is indicative of the Metasploit module's PSH payload delivery. ↗
- →Inspect HTTP responses served to Electron apps for HTML containing 'window.location' redirects to custom protocol handlers (e.g., 'exodus://') combined with Chromium command-line argument injection patterns like '--gpu-launcher='. ↗
- →Flag HTTP responses with Content-Type 'application/octet-stream' served from paths matching '/payload' in the context of Electron app network traffic, as used by the Metasploit module to deliver the second-stage PowerShell payload. ↗
- →Alert on Windows systems where Electron apps (versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier) register custom protocol handlers, as these are the vulnerable versions targeted by CVE-2018-1000006. ↗
- ·The Metasploit module defaults to SRVPORT 80 and URIPATH '/', meaning detections based solely on non-standard ports will miss default deployments of this exploit module. ↗
- ·The exploit only affects Electron apps running on Windows (10, 7, or 2008) that register custom protocol handlers; non-Windows platforms and apps without custom protocol handlers are not affected. ↗
- ·The PSH-Proxy advanced option in the Metasploit module causes the PowerShell payload to use the system proxy, which may affect network-based detection if proxy traffic is not inspected. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa8.8HIGH
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Electron protocol handler browser vulnerable to Command Injection
ghsa·2018-03-26·CVSS 8.8
CVE-2018-1000118 [HIGH] CWE-78 Electron protocol handler browser vulnerable to Command Injection
Electron protocol handler browser vulnerable to Command Injection
Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerability appears to have been fixed in Electron 1.8.2-beta.5. This issue is due to an incomplete fix for CVE-2018-1000006, specifically the black list used was not case insensitive allowing an attacker to potentially bypass it.
OSV
Electron protocol handler browser vulnerable to Command Injection
osv·2018-03-26·CVSS 8.8
CVE-2018-1000118 [HIGH] Electron protocol handler browser vulnerable to Command Injection
Electron protocol handler browser vulnerable to Command Injection
Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerability appears to have been fixed in Electron 1.8.2-beta.5. This issue is due to an incomplete fix for CVE-2018-1000006, specifically the black list used was not case insensitive allowing an attacker to potentially bypass it.
OSV
Remote Code Execution in electron
osv·2018-01-23
CVE-2018-1000006 [HIGH] Remote Code Execution in electron
Remote Code Execution in electron
Affected versions of `electron` may be susceptible to a remote code execution flaw when certain conditions are met:
1. The electron application is running on Windows.
2. The electron application registers as the default handler for a protocol, such as `nodeapp://`.
This vulnerability is caused by a failure to sanitize additional arguments to chromium in the command line handler for Electron.
MacOS and Linux are not vulnerable.
## Recommendation
Update electron to a version that is not vulnerable. If updating is not possible, the electron team has provided the following guidance:
If for some reason you are unable to upgrade your Electron version, you can append `--` as the last argument when calling `app.setAsDefaultProtocolClient`, which prevents C
GHSA
Remote Code Execution in electron
ghsa·2018-01-23
CVE-2018-1000006 [HIGH] CWE-78 Remote Code Execution in electron
Remote Code Execution in electron
Affected versions of `electron` may be susceptible to a remote code execution flaw when certain conditions are met:
1. The electron application is running on Windows.
2. The electron application registers as the default handler for a protocol, such as `nodeapp://`.
This vulnerability is caused by a failure to sanitize additional arguments to chromium in the command line handler for Electron.
MacOS and Linux are not vulnerable.
## Recommendation
Update electron to a version that is not vulnerable. If updating is not possible, the electron team has provided the following guidance:
If for some reason you are unable to upgrade your Electron version, you can append `--` as the last argument when calling `app.setAsDefaultProtocolClient`, which prevents C
No detection rules found.
Exploit-DB
Exodus Wallet (ElectronJS Framework) - Remote Code Execution (Metasploit)
exploitdb·2018-03-29
CVE-2018-1000006 Exodus Wallet (ElectronJS Framework) - Remote Code Execution (Metasploit)
Exodus Wallet (ElectronJS Framework) - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule 'Exodus Wallet (ElectronJS Framework) remote Code Execution',
'Description' => %q(
This module exploits a Remote Code Execution vulnerability in Exodus Wallet,
a vulnerability in the ElectronJS Framework protocol handler can be used to
get arbitrary command execution if the user clicks on a specially crafted URL.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Wflki', # Original exploit author
'Daniel Teixeira' # MSF module author
],
'DefaultOptions' =>
{
'SRVPORT' => '80',
'URIPATH' => '/',
},
'References' =>
[
[ 'ED
Exploit-DB
Exodus Wallet (ElectronJS Framework) - Remote Code Execution
exploitdb·2018-01-25
CVE-2018-1000006 Exodus Wallet (ElectronJS Framework) - Remote Code Execution
Exodus Wallet (ElectronJS Framework) - Remote Code Execution
---
window.location = 'exodus://aaaaaaaaa" --gpu-launcher="cmd" --aaaaa='
Metasploit
Exodus Wallet (ElectronJS Framework) remote Code Execution
metasploit
Exodus Wallet (ElectronJS Framework) remote Code Execution
Exodus Wallet (ElectronJS Framework) remote Code Execution
This module exploits a Remote Code Execution vulnerability in Exodus Wallet, a vulnerability in the ElectronJS Framework protocol handler can be used to get arbitrary command execution if the user clicks on a specially crafted URL.
Trendmicro
Exposing Infection Techniques Across Supply Chains and Codebases
blogs_trendmicro·2023-10-05
Exposing Infection Techniques Across Supply Chains and Codebases
Cyber Threats
# Exposing Infection Techniques Across Supply Chains and Codebases
This entry delves into threat actors' intricate methods to implant malicious payloads within seemingly legitimate applications and codebases.
By: Aliakbar Zahravi, Peter Girnus
2023/10/05
Read time: ( words)
Save to Folio
# Introduction
As technology evolves and the world becomes more interconnected, so do the techniques used by threat actors against their victims. Threat actors pose a significant risk to organizations, individuals, and communities by continuously exploiting the intricate interdependencies within supply chains and codebases.
One of the most concerning trends in recent years is the rise of supply chain attacks — particularly those that compromise codebases — as a critical global concern
Tenable
June Vulnerability of the Month: Electron Vulnerability Out-Hyped by Efail?
blogs_tenable·2018-06-15
June Vulnerability of the Month: Electron Vulnerability Out-Hyped by Efail?
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
June Vulnerability of the Month: Electron Vulnerability Out-Hyped by Efail?
blogs_tenable·2018-06-15·CVSS 8.8
[HIGH] June Vulnerability of the Month: Electron Vulnerability Out-Hyped by Efail?
Blog / Research
Subscribe
# June Vulnerability of the Month: Electron Vulnerability Out-Hyped by Efail?
Tenable Research
June 15, 2018
3 Min Read
Every month, we ask our researchers to nominate a vulnerability of the month. Novelty, sophistication or just plain weirdness are some of the potential criteria for selecting a vulnerability to highlight. After the nominations are collected, the candidates are shortlisted and voted on by our 70-plus-member research organization, combining the total experience and knowledge of Tenable Research to identify the vulnerability of the month.
### Background
Electron is an open-source framework for developing desktop applications. According to Electron’s website, it’s currently used in 581 apps. On May 14, a vulnerability (CVE-2018-1000136) was pu
Bugzilla
URI Handler Command Injection Vulnerability [iDefense V-bsk2ottbf1]
bugzilla·2019-08-09
[MEDIUM] URI Handler Command Injection Vulnerability [iDefense V-bsk2ottbf1]
URI Handler Command Injection Vulnerability [iDefense V-bsk2ottbf1]
Created attachment 9084402
PoC html file
The following email received from [email protected]
-------- Forwarded Message --------
Subject: Fwd: iDefense Vendor Notification - [V-bsk2ottbf1]
Date: Fri, 9 Aug 2019 17:51:29 +0000
From: Vendor Disclosure
To: [email protected]
CC: Vendor Disclosure
Please find the attached report and PoC for this issue.
Thanks,
Rohit Mothe
iDefense Labs
-------- Forwarded Message --------
Subject: iDefense Vendor Notification - [V-bsk2ottbf1]
Date: Fri, 9 Aug 2019 17:48:58 +0000
From: [email protected]
Reply-To: [email protected]
To: [email protected]
iDefense has identified a vulnerability. This vulnerability was submitted to iDefense through
http://www.securityfocus.com/bid/102796https://electronjs.org/blog/protocol-handler-fixhttps://github.com/electron/electron/releases/tag/v1.8.2-beta.4https://medium.com/%40Wflki/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374https://www.exploit-db.com/exploits/43899/https://www.exploit-db.com/exploits/44357/http://www.securityfocus.com/bid/102796https://electronjs.org/blog/protocol-handler-fixhttps://github.com/electron/electron/releases/tag/v1.8.2-beta.4https://medium.com/%40Wflki/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374https://www.exploit-db.com/exploits/43899/https://www.exploit-db.com/exploits/44357/
2018-01-24
Published