cbcvebase.
CVE-2018-1000006
published 2018-01-24

CVE-2018-1000006: GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron…

PriorityP276high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
84.71%
99.7th percentile
GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.

Affected

9 ranges
VendorProductVersion rangeFixed in
atomelectron<= 1.7.10
atomelectron<= 1.6.15
atomelectron
electronelectron>= 0 < 1.8.2-beta51.8.2-beta5
electronelectron>= 1.6.0 < 1.6.161.6.16
electronelectron>= 1.7.0 < 1.7.111.7.11
electronelectron>= 1.8.0 < 1.8.2-beta.41.8.2-beta.4
electronjselectron<= 1.8.1
electronjselectron

Detection & IOCsextracted from sources · hover to see the quote

urlexodus://[random]" --gpu-launcher="cmd.exe /k [payload]" --[random]='
commandexodus://aaaaaaaaa" --gpu-launcher="cmd" --aaaaa='
command--gpu-launcher="cmd.exe /k [powershell payload]"
  • Detect crafted URLs using the 'exodus://' custom protocol handler containing '--gpu-launcher=' argument injection, which is the core exploitation technique for CVE-2018-1000006.
  • Monitor for Electron-based application processes spawning cmd.exe or powershell.exe as child processes, particularly with hidden window style flags, which is indicative of the Metasploit module's PSH payload delivery.
  • Inspect HTTP responses served to Electron apps for HTML containing 'window.location' redirects to custom protocol handlers (e.g., 'exodus://') combined with Chromium command-line argument injection patterns like '--gpu-launcher='.
  • Flag HTTP responses with Content-Type 'application/octet-stream' served from paths matching '/payload' in the context of Electron app network traffic, as used by the Metasploit module to deliver the second-stage PowerShell payload.
  • Alert on Windows systems where Electron apps (versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier) register custom protocol handlers, as these are the vulnerable versions targeted by CVE-2018-1000006.
  • ·The Metasploit module defaults to SRVPORT 80 and URIPATH '/', meaning detections based solely on non-standard ports will miss default deployments of this exploit module.
  • ·The exploit only affects Electron apps running on Windows (10, 7, or 2008) that register custom protocol handlers; non-Windows platforms and apps without custom protocol handlers are not affected.
  • ·The PSH-Proxy advanced option in the Metasploit module causes the PowerShell payload to use the system proxy, which may affect network-based detection if proxy traffic is not inspected.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
ghsa8.8HIGH
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.