文章基本信息

标题：Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis
本地全文：下载
作者：Adam Rapley ; Xavier Bellekens ; Lynsay A. Shepherd 等
期刊名称：Informatics
电子版ISSN：2227-9709
出版年度：2018
卷号：5
期号：4
页码：46-65
DOI：10.3390/informatics5040046
出版社：MDPI Publishing
摘要：Writing desktop applications in JavaScript offers developers the opportunity to create cross-platform applications with cutting-edge capabilities. However, in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based upon the Node.js JavaScript runtime—an increasingly popular server-side technology. By bringing this technology to the client-side environment, previously unrealized risks are exposed to users due to the powerful system programming interface that Node.js exposes. In a concerted effort to highlight previously unexposed risks in these rapidly expanding frameworks, this paper presents the Mayall Framework, an extensible toolkit aimed at JavaScript security auditing and post-exploitation analysis. This paper also exposes fifteen highly popular Electron applications and demonstrates that two-thirds of applications were found to be using known vulnerable elements with high CVSS (Common Vulnerability Scoring System) scores. Moreover, this paper discloses a wide-reaching and overlooked vulnerability within the Electron Framework which is a direct byproduct of shipping the runtime unaltered with each application, allowing malicious actors to modify source code and inject covert malware inside verified and signed applications without restriction. Finally, a number of injection vectors are explored and appropriate remediations are proposed.
关键词：JavaScript; Node;js; security vulnerabilities; arbitrary code execution; post-exploitation JavaScript ; Node;js ; security vulnerabilities ; arbitrary code execution ; post-exploitation