Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Signature Validation Bypass Leading to RCE In Electron-Updater
Lorenzo Stella - DoyenSecPosted 4 Months Ago- Electron-Builder is marketed as a package and build system for Electron Apps with auto-update support. On MacOS and Windows, there is code signing and verification support built into it.
- While reviewing the update mechanism of Electron-Builder for a client, they noticed that the validation failed open if the PowerShell command used signature validation failed. If there was a parse error, the command would still succeed silently. By claiming the file name contained a single quote, the parse error would return a valid result. Practically, this also had a command injection, which is less than ideal as well.
- The command injection issue was eventually resolved, but the fail-open design remained. Since the expansion led to both a parse error and a command injection issue, this was sufficient for both problems. In reality, the fail-open design is still bad, and there are likely other ways to trigger this same issue.
