Sowing Discord
A security researcher has achieved remote code execution (RCE) on Discord’s desktop application by chaining a trio of security vulnerabilities.
The exploit (demonstrated in this video) capitalized on the fact that Discord had disabled the RCE-blocking contextIsolation option in Electron.
It also leveraged a cross-site scripting (XSS) flaw in the implementation of iframe embeds on 3D viewing platform Sketchfab, along with a navigation restriction bypass in Electron.
Discord, whose client is built on the Electron framework, is an instant messaging and VoIP application with more than 100 million active monthly users.
Japanese researcher Masato Kinugawa was awarded $5,000 by Discord and $300 by Sketchfab through the platforms’ respective bug bounty programs.
Out of context
The three-stage research process, which Kinugawa has documented in a blog post published yesterday (October 18, also available in Japanese), began with efforts to execute arbitrary JavaScript on Discord by first checking the BrowserWindow API options.
Because nodeIntegration was false in Discord's main window, the researcher couldn’t call require() directly in order to use Node.js features.
This should have precluded RCE courtesy of contextIsolation, introduced by Electron in response to a 2016 Cure53 penetration test to which Kinugawa contributed.
However, the researcher discovered that this option was disabled, meaning that “a web page’s JavaScript can affect the execution of the Electron’s internal JavaScript code on the renderer, and preload scripts”.
RELATED Discord users warned over QR code login scam that can result in pwned accounts
Kinugawa then deployed a technique for achieving RCE that he had outlined in a 2018 presentation to no avail.
Switching his focus to preload scripts, he found that Discord exposes a function that allows some permitted modules to be called (via DiscordNative.nativeModules.requireModule('MODULE-NAME')) into the web page.
He then “found a code where RCE can be achieved by overriding the JavaScript built-in methods and interfering with the execution of the exposed module”.
In XSS
The researcher subsequently achieved XSS by abusing Discord’s iframe embeds feature, which embeds rich content from compatible platforms, such as YouTube, Twitch or Spotify, when URLs are pasted into third-party HTML pages.
One by one, the researcher checked whether potentially compatible services – as gauged from Discord’s CSP frame-src directive – could be embedded in the iframe and discovered that, one, Sketchfab had “a simple DOM-based XSS in the footnote of the 3D model”.
After posting a malicious URL to a Discord chat, the 3D model viewer was embedded into the iframe, a “few clicks” on which then executed arbitrary JavaScript.
RCE ahoy
However, Electron doesn’t load internal JavaScript renderer code into the iframe, so “even if I override the JavaScript built-in methods on the iframe, I can’t interfere with the Node.js’ critical parts”, Kinugawa explained.
Achieving RCE therefore required the execution of JavaScript in a “top-level browsing context” by “opening a new window from the iframe or navigating the top window to another URL from the iframe”.
This was possible because the code designed to prevent such actions failed to do so, since the iframe failed to trigger a will-navigate event from the top navigation.
He duly bypassed the navigation restriction to achieve RCE by navigating to the page containing the RCE code with the iframe’s XSS.
Updates and mitigation
After being alerted to the flaws, the Discord security team disabled Sketchfab embeds and enabled contextIsolation, while Sketchfab fixed the XSS quickly, said Kinugawa.
A security advisory published on GitHub on October 5 announced the release of new versions of Electron NPM – 11.0.0-beta.1, 10.0.1, 9.3.0, 8.5.1 – that patched the navigation restriction bypass (CVE-2020-15174).
In lieu of applying updates, Electron’s security team advised users to sandbox all iframes using the sandbox attribute.
“This will prevent them creating top-frame navigations and is good practice anyway,” they explained.
The Daily Swig has contacted Masato Kinugawa for further comment and will update the article accordingly if we hear back.
YOU MIGHT ALSO LIKE Open source security: Malicious NPM packages broadcast sensitive user data online
