CVE-2020-15174: Vulnerability in Discord desktop application gives control of your PC to hackers

The developers of Discord, a popular VoIP and chat platform, have fixed a critical flaw that exposed users to remote code execution attacks. Masato Kinugawa, a cybersecurity specialist and participant in multiple vulnerability programs, developed a chain of exploits to describe the attack process, which would involve exploiting various errors.

The flaw lies specifically in Electron, the software framework used for the desktop version of Discord. Although this application is not open source, the JavaScript code used by Electron is open source and is used for the development of applications with support for JavaScript, HTML and CSS, which is stored locally and can be extracted and examined.

One of the configurations in the Electron <<contextIsolation>> compilation was set to false, and this could allow JavaScript code outside the application to influence internal code, such as the Node.js function; function that was designed to introduce separate contexts between web pages and JavaScript code. Apparently, this behavior is dangerous because Electron allows JavaScript code outside web pages to use Node.js functions regardless of the nodeIntegration option and by interfering with them from the overridden function on the web page; it might be possible to achieve RCE even if nodeIntegration is set to false.

Kinugawa still required a way to run JavaScript in the desktop application, which led to the finding of an inter-site scripting problem (XSS) in the iframe insert feature, used to display videos in chat when publishing a URL from sites like YouTube. Using Sketchfab, a 3D content viewer, Kinugawa was able to abuse a DOM-based XSS discovered on the embedding page, thus completing the attack.

Tracked as CVE-2020-15174, exploiting this flaw in combination with two other vulnerabilities allowed Kinugawa to exploit remote code to bypass security restrictions and use the XSS flaw to access a web page where an RCE payload was stored. After Kinugawa filed the report through Discord’s rewards program, the developers disabled Sketchfab’s inlays, completely mitigating the possibility of exploitation.