The exploit (demonstrated in this video) capitalized on the fact that Discord had disabled the RCE-blocking contextIsolation option in Electron.
It also leveraged a cross-site scripting (XSS) flaw in the implementation of iframe embeds on 3D viewing platform Sketchfab, along with a navigation restriction bypass in Electron.
Japanese researcher Masato Kinugawa was awarded $5,000 by Discord and $300 by Sketchfab through the platforms’ respective bug bounty programs.
Out of context
Because nodeIntegration was false in Discord's main window, the researcher couldn’t call require() directly in order to use Node.js features.
This should have precluded RCE courtesy of contextIsolation, introduced by Electron in response to a 2016 Cure53 penetration test to which Kinugawa contributed.
Kinugawa then deployed a technique for achieving RCE that he had outlined in a 2018 presentation to no avail.
Switching his focus to preload scripts, he found that Discord exposes a function that allows some permitted modules to be called (via DiscordNative.nativeModules.requireModule('MODULE-NAME')) into the web page.
The researcher subsequently achieved XSS by abusing Discord’s iframe embeds feature, which embeds rich content from compatible platforms, such as YouTube, Twitch or Spotify, when URLs are pasted into third-party HTML pages.
One by one, the researcher checked whether potentially compatible services – as gauged from Discord’s CSP frame-src directive – could be embedded in the iframe and discovered that, one, Sketchfab had “a simple DOM-based XSS in the footnote of the 3D model”.
This was possible because the code designed to prevent such actions failed to do so, since the iframe failed to trigger a will-navigate event from the top navigation.
He duly bypassed the navigation restriction to achieve RCE by navigating to the page containing the RCE code with the iframe’s XSS.
Updates and mitigation
After being alerted to the flaws, the Discord security team disabled Sketchfab embeds and enabled contextIsolation, while Sketchfab fixed the XSS quickly, said Kinugawa.
A security advisory published on GitHub on October 5 announced the release of new versions of Electron NPM – 11.0.0-beta.1, 10.0.1, 9.3.0, 8.5.1 – that patched the navigation restriction bypass (CVE-2020-15174).
In lieu of applying updates, Electron’s security team advised users to sandbox all iframes using the sandbox attribute.
“This will prevent them creating top-frame navigations and is good practice anyway,” they explained.
The Daily Swig has contacted Masato Kinugawa for further comment and will update the article accordingly if we hear back.