CVE-2018-1000006
CVE-2018-1000006
GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.
Affected products
n/a · n/apublic PoCs found — 5
githubgithub.com/CHYbeta/CVE-2018-1000006-DEMO★ 39cve_referencewww.exploit-db.com/exploits/43899/unverifiedcve_referencewww.exploit-db.com/exploits/44357/unverifiedexploitdbwww.exploit-db.com/exploits/43899unverifiedexploitdbwww.exploit-db.com/exploits/44357unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://electronjs.org/blog/protocol-handler-fixhttps://github.com/electron/electron/releases/tag/v1.8.2-beta.4https://medium.com/%40Wflki/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374https://www.exploit-db.com/exploits/43899/https://www.exploit-db.com/exploits/44357/http://www.securityfocus.com/bid/102796