In the desktop edition of the chat software, Discord has solved a crucial problem that has left users vulnerable to remote code execution (RCE) attacks.
Several months ago, bug bounty hunter Masato Kinugawa created an exploit chain leading to RCE and published a weekend blog post explaining the technical specifics of the process, which incorporates several bugs.
Electron, the development system used for the Discord desktop client, discovered the first security problem. The JavaScript framework used by Electron — an open source initiative to build cross-platform applications capable of harnessing JavaScript, Markup, and CSS — was saved locally because the web software is not open source, and could be removed and analysed.
One of the settings in Discord ‘s Electron construct, “contextIsolation,” was set to false, which might cause internal code, such as the Node.js functionality, to affect JavaScript code outside the app. The functionality was developed to incorporate various contexts between web pages and code in JavaScript.
This behaviour is risky since Electron allows the JavaScript code outside of web pages to use the functionality of Node.js regardless of the [nodeIntegration] option, and it may be possible to achieve RCE by interfering with them from the overridden function on the web page even if the nodeIntegration is set to false, “Kinugawa clarified.”
Now, the researcher required a way to execute JavaScript on the application, leading to the discovery of a cross-site scripting (XSS) problem in the iframe embed function, used to view video in chat when a URL is shared, such as one from YouTube.
This led Sketchfab, a 3D material viewer, to Kinugawa. Sketchfab is whitelisted in the material protection policies of Discord and can be included in the iframe — but it could exploit a DOM-based XSS discovered in the embeds tab.
This only allowed the bug bounty hunter to execute JavaScript in the iframe, however, and so it was still not possible for the Discord desktop app to achieve complete RCE. At least, in Electron’s “will-navigate” event code, not until Kinugawa came across a navigation restriction workaround.
This processing error, tracked as CVE-2020-15174, combined with the other two vulnerabilities, enabled Kinugawa to execute an RCE attack by circumventing navigation restrictions and accessing a web page containing the RCE payload using the iframe XSS flaw.
Through Discord’s Bug Bounty scheme, Kinugawa posted his scores. The developers removed the Sketchfab embeds after the Discord team triaged the vulnerabilities and checked their validity, applying a sandbox attribute to the iframe.
“The contextIsolation was enabled after a bit,” the bug bounty hunter said. “Now, even though I might execute arbitrary JavaScript on the app, the overridden JavaScript built-in methods do not cause RCE to happen.”
Kinugawa was awarded $5,000 by Discord for his report, alongside $300 by the Sketchfab team for the XSS flaw disclosure, now patched. Electron’s “will-navigate” problem has been solved as well.
