My colleague has two kids, ages 9 and 12. Since the COVID lockdowns they have been playing more online games and each of them use Discord to chat with their friends during gameplay. Did my colleague or the millions of other Discord users think that vulnerabilities in open source libraries used in the application could result in a takeover of their machines?
Discord, an Instant Messaging (IM) and VoIP app popular among the gaming community, recently patched a set of critical vulnerabilities that could allow a skilled attacker to gain Remote Code Execution (RCE) privileges on the users' Desktop app.
Although licensed as a freeware proprietary application, Discord is built with open source libraries, not unlike most applications today. One such library is NodeJS-based Electron framework.
What makes the news around this event particularly interesting is that by exploiting a set of small isolated vulnerabilities, that individually seem trivial, Japanese security researcher Masato Kinugawa was able to achieve full-on remote code execution capability on a user’s system running the Discord Desktop app.
Through responsible disclosure of these flaws, Kinugawa also collected $5,300 in bug bounties.
Context isolation and Framebusting vulnerabilities
Discord app is built with the Electron framework.
Electron is an appealing choice among developers because, other than being open source, the framework empowers creators to build cross-platform GUI apps using web technologies they are already familiar with: HTML, JavaScript (JS), and CSS.
This cuts the overhead of learning another UI framework from scratch, let alone debugging it.
The popularity of electron among the developer community is probably also a reason as to why it was recently capitalized by typosquatting malware "electorn," as discovered by Sonatype (more on that later).
The actual vulnerabilities that Kinugawa was able to exploit in conjunction -- a concept known as "vulnerability chaining," include:
- CVE-2020-15215 - Context Isolation Bypass in `electron`
- CVE-2020-15174 - Protection Mechanism Failure (framebusting) in `electron`
- Cross-Site Scripting (XSS) - this vulnerability was present on a third-party website SketchFab, which provides an embeddable 3D content viewer.
When exploited in conjunction, the three vulnerabilities work like an exquisite swiss-knife.
Due to how electron had been configured in Discord, the context isolation allowed the attacker’s app to access NodeJS’ properties via JavaScript which should normally be out of scope.
"The contextIsolation, another important option, was set to false. This option should not be set to false if you want to eliminate the possibility of RCE on your app," stated Kinugawa.
"If the contextIsolation is disabled, a web page's JavaScript can affect the execution of the Electron's internal JavaScript code on the renderer, and preload scripts," the researcher continued in a blog post.
The researcher explained that Electron’s default configuration, as being used by Discord, was "dangerous" because even if the nodeIntegration option had been disabled, Electron would allow a malicious actor to achieve Remote Code Execution (RCE) due to lack of an isolated context between their app and the NodeJS engine.
Having found a way to influence NodeJS properties directly, the researcher could have now launched a simple calculator app locally via NodeJS' child_process.exec( ). However, exploiting an XSS vulnerability on a 3rd party website, paved way for the researcher to host the malicious payload on an external site.
Since SketchFab had an XSS vulnerability and was further permitted as a website, alongside YouTube, that you could embed content from, the researcher chose the site to host their malicious payload. Finally, to trigger the embedded payload to "break out" of the embedded iframe and influence the top frame was facilitated by the "framebusting" vulnerability CVE-2020-15174.
As The Daily Swig post explains, this means, an attacker pasting the malicious SketchFab URL into Discord chat would lead to Discord's Desktop client "embedding" the content (malicious payload) into an iframe within the chat.
But further because of the framebusting vulnerability, when the iframe is clicked, the payload within would execute in the top frame, that too without the contextIsolation restriction in place. And voila, the attacker has achieved Remote Code Execution (RCE).
Increase in open source usage and hacks
The ongoing "open source boom" is here to stay, for the foreseeable future.
Incidents like Microsoft's $7.5 billion investment in GitHub, which further acquired npm, are living proof of the value brought forth by the vast, ever-expanding open source ecosystem.
This month, another report emerged in which Tidelift's CEO Donald Fisher commented on an open source survey conducted by the company:
"This finding continues a trend that began after the recession of the early 2000s and continued after the financial crisis of 2008. Organizations turn to open source in tough economic times because it helps them reduce costs and improves their ability to innovate."
Whether due to cost savings, or the permissive nature of open source software licensing, as more and more companies adapt to using and contributing to open source, there emerges another challenge to be filled: safeguarding the software supply chain.
If your developers, for example, were designing a communications app like Discord using Electron, and had mistyped it as "electorn" in their software dependencies, not only would they be victims of a typosquatting malware attack, but anyone who used their apps and further built on them. This is what we call attackers cascading their attacks "downstream."
Instead of targeting a particular organization or entity, as an attacker, it'd be much easier for me to capitalize on the branding and popularity of an existing package and exploit trust within the open source community devs through subtle attacks like "typosquatting."
Now, even if typosquatting had not been the paramount concern here and your organization’s developers were using the authentic Electron framework, they still have no way of knowing if vulnerabilities like CVE-2020-15215 and CVE-2020-15174 had crept into their code.
Last week, npm removed even more open source malware that impersonated a Slack client but in effect launched reverse shells on Windows and Linux machines.
Our 2020 State of the Software Supply Chain report also shows that this is happening at a rapidly increased rate. In fact, there was a 430% increase in next-generation software supply chain attacks over the past year. Keeping this in mind, it is virtually impossible to manually chase and keep track of such components.
How DevSecOps helps
This is where DevSecOps comes in handy. By adopting DevSecOps best practices and tools, you can build security early on into your products, keeping your software supply chains safe.
And if your company champions as an open source contributor, you are now also keeping everyone else's software supply chains safe by eliminating any loose ends in your code.
Electron framework vulnerabilities CVE-2020-15215 and CVE-2020-15174 discovered in Discord had been accounted for by Sonatype in our products long before they made headlines.
Sonatype Platform customers were notified of these vulnerabilities within hours of their disclosure, and their development teams automatically received instructions on how to remediate the risk.
If you're not a Sonatype customer and want to find out if your code is vulnerable, you can use Sonatype's free Sonatype Vulnerability Scanner to find out quickly.
Visit the Sonatype Intelligence Insights page for a deep dive into other vulnerabilities like this one or subscribe to automatically receive Sonatype Intelligence Insights hot off the press.
Written by Ax Sharma
Ax is a Staff Security Researcher & Malware Analyst at Sonatype with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and cybercrime investigations. He has a passion for educating a wide range of audiences through writing and vlogs.
Explore All Posts by Ax Sharma