Preload scripts can introduce vulnerabilities

Researchers have demonstrated how weaknesses in Electron preload scripts can introduce vulnerabilities in sandboxes and allow malicious code execution.

Preload scripts are executed outside of the sandbox and are initiated before renderer scripts are loaded.

These have legitimate uses such as granting access to application data structures that might be isolated or segregated in a sandbox.

However, this comes with a catch. Researchers from Doyensec have demonstrated how isolation can be bypassed using preloads – meaning that insecure code within the sandbox can be executed.

“Preload scripts have access to Node.js, and the functions exported by applications to the global window often include dangerous primitives,” the researchers noted.

Doyensec has categorized four types of insecure preloads, which can be explored in this blog post.

The team presented their findings at this year’s Black Hat Asia, but have now released detailed examples of attacks.

Secure messaging platform WireApp for desktop was one vulnerable application.

It has a web view option that enforces isolation by using BrowserWindow with nodeIntegration disabled. This web view can contain untrusted code making the sandbox critical.

But researchers showed how when the preload script for web view runs, any code within the isolated renderer could obtain a file write primitive, leading to full sandbox escape.

A security patch has now been released for this issue.

Voice and text chat platform Discord for desktop again implements isolation through BrowserWindow with nodeIntegration disabled.

The main screen preload (app/mainScreenPreload.js) is “basically a wrapper” for Electron’s asynchronous IPC mechanism, the blog notes.

But as there’s no separation between app-level IPC messages and the internal channel, an attacker can issue asynchronous IPC messages with arbitrary channels, leading to a full sandbox escape.