i wanted to get on the machine where the application gets built and the easiest way to do this would be a postinstall script in package.json, so i did that with a simple reverse shell payload
Forgive my ignorance, but to clarify the exploit:
Build an electron app and build with todesktop
Install a postinstall script that reverse shells?
??? (Obviously, connect to reverse shell)
Profit!!
So, the vuln is that todesktop mounted everything into the build container with no separation. Correct? The wording here glosses over this very important part. :)
From my understanding of the post, step 3 is extract the “config.json.encrypted” file from the container, decrypt it using the credentials found, then use the Firebase credentials that were decrypted to push an update to other users applications.
That was specified once they got a shell. The question that I had was how actually did they get the shell? They mention postinstall and a reverse shell. My assumption is that when you used todesktop, it’s a CI like build tool so a postinstall script runs in their container, and that gave them the ability to reverse shell out (for some time before the build was killed, presumably) to get the encrypted file, decrypt it, profit.
I think that’s logical, but trying to “check my work.”
man it’s nice to read one of these that doesn’t end with “and the bounty was rejected on a technicality”
Forgive my ignorance, but to clarify the exploit:
So, the vuln is that todesktop mounted everything into the build container with no separation. Correct? The wording here glosses over this very important part. :)
From my understanding of the post, step 3 is extract the “config.json.encrypted” file from the container, decrypt it using the credentials found, then use the Firebase credentials that were decrypted to push an update to other users applications.
That was specified once they got a shell. The question that I had was how actually did they get the shell? They mention postinstall and a reverse shell. My assumption is that when you used todesktop, it’s a CI like build tool so a postinstall script runs in their container, and that gave them the ability to reverse shell out (for some time before the build was killed, presumably) to get the encrypted file, decrypt it, profit.
I think that’s logical, but trying to “check my work.”
Yeah, I think that’s the conclusion I come to, some npm post-install script in a dependency, makes a reverse shell, and keeps the build “running”.
another firebase banger
another firebase banger by eva from ssi