Japanese bug bounty hunter Masato Kinugawa has found multiple vulnerabilities affecting the Discord Desktop app. Elaborating on his findings in a blog post, he explained how exploiting the bugs together could lead to remote code execution.
He found three different types of vulnerabilities that posed a threat to the users. The first of these was the disabled “contextisolation” setting in the app window that allowed RCE possibility. As he explained,
If the contextIsolation is disabled, a web page’s JavaScript can affect the execution of the Electron’s internal JavaScript code on the renderer, and preload scripts…
This behavior is dangerous because Electron allows the JavaScript code outside web pages to use the Node.js features regardless the nodeIntegration option and by interfering with them from the function overridden in the web page, it could be possible to achieve RCE even if the nodeIntegration is set to false.
By default, nodeIntegration was also set to false in the app, thus allowing the attack.
After discovering this bug, the researcher found another flaw that allowed executing JavaScript. This second bug was a cross-site scripting (XSS) flaw in iframe embeds.
The two bugs could together allow the execution of JS in the iframe only.
The researcher also found a third bug that expanded the attack surface to the app. Specifically, he found a navigation restriction bypass (CVE-2020-15174) that, together with the above two, allowed RCE attacks.
The following video demonstrates the exploit.
Bug Patched
Upon discovering the flaws, the researcher reached out to Discord via their bug bounty program.
Explaining the fixes, he stated,
First, Discord team disabled the Sketchfab embeds, and a workaround was taken to prevent navigation from the iframe by adding the sandbox attribute to the iframe. After a while, the contextIsolation was enabled. Now even if I could execute arbitrary JavaScript on the app, RCE does not occur via the overridden JavaScript built-in methods.
Whereas, for the third bug, Discord released the fix with Electron NPM – 11.0.0-beta.1, 10.0.1, 9.3.0, 8.5.1. Also, they described a workaround in their advisory,
Sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.
For his findings, Kinugawa received $5,000 from Discord and $300 from Sketchfab.