Discord has patched a critical issue in the desktop version of the messaging app which left users vulnerable to remote code execution (RCE) attacks.

Bug bounty hunter Masato Kinugawa developed an exploit chain leading to RCE several months ago and published a blog post over the weekend describing the technical details of the method, which combines multiple bugs.

The first security issue was found in Electron, the software framework used by the Discord desktop app. While the desktop app is not open source, the JavaScript code utilized by Electron — an open source project for creating cross-platform apps able to harness JavaScript, HTML, and CSS — was saved locally and could be extracted and examined.

One of the settings in Discord’s Electron build, “contextIsolation,” was set to false, and this could allow JavaScript code outside of the app to influence internal code, such as the Node.js function. The feature was designed to introduce separate contexts between web pages and JavaScript code.

“This behavior is dangerous because Electron allows the JavaScript code outside web pages to use the Node.js features regardless [of] the nodeIntegration option and by interfering with them from the function overridden in the web page, it could be possible to achieve RCE even if the nodeIntegration is set to false,” Kinugawa explained.

Now, the researcher needed a way to execute JavaScript on the application, leading to the discovery of a cross-site scripting (XSS) issue in the iframe embed feature, used to display video in chat when a URL is posted, such as one from YouTube.

This led Kinugawa to Sketchfab, a 3D content viewer. Sketchfab is whitelisted in Discord’s content security policy and can be embedded in the iframe — but a DOM-based XSS discovered in the embeds page could be abused.

However, this only allowed the bug bounty hunter to execute JavaScript in the iframe, and so it still wasn’t possible to achieve full RCE on the Discord desktop app. At least, not until Kinugawa came across a navigation restriction bypass in Electron’s “will-navigate” event code.

Tracked as CVE-2020-15174, this processing error, combined with the other two vulnerabilities, allowed Kinugawa to perform an RCE attack by circumventing navigation restrictions and using the iframe XSS bug to access a web page containing the RCE payload.

Kinugawa reported his findings via Discord’s Bug Bounty program. After the Discord team triaged the bugs and confirmed their validity, the developers disabled the Sketchfab embeds and added a sandbox attribute to the iframe.

“After a while, the contextIsolation was enabled,” the bug bounty hunter added. “Now even if I could execute arbitrary JavaScript on the app, RCE does not occur via the overridden JavaScript built-in methods.”

Kinugawa was awarded $5,000 for his report by Discord, alongside $300 by the Sketchfab team for the disclosure of the XSS flaw, now patched. Electron’s “will-navigate” issue has also been resolved.

The information contained in this website is for general information purposes only. The information is gathered from ZDnet, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.