如何在数亿人和流行的应用程序上获得代码执行

如何在数亿人和流行的应用程序上获得代码执行
How to gain code execution on hundreds of millions of people and popular apps

原始链接: https://kibty.town/blog/todesktop/

在调查光标时，AI文本编辑器（一个用户偶然发现了Cursor使用的电子应用Bundler）。好奇，他们探索了Todesktop的服务，发现了漏洞。侦察显示了一个不安全的壁垒收藏（后来澄清为无敏感）。然后，他们专注于Todesktop的CLI工具，发现了任意的S3上传漏洞，但缺乏有用的上传路径。但是，通过存储了对构建环境的访问，通过允许访问构建环境来利用部署管道，其中存储了敏感的秘密，包括具有完整范围的firebase管理员密钥。该密钥允许用户使用Todesktop将恶意自动更新部署到任何应用程序，从而有可能影响数百万个应用程序的用户，例如ClickUp，Cursor，Linear和Intion Calendar。用户立即提醒了Todesktop的所有者，后者迅速实施了修复程序。脆弱性源于构建容器来处理代码构建和敏感操作。该解决方案将敏感的操作移至特权壁灯容器。 Todesktop赔偿了用户，而受影响的客户之一的光标则提供了额外的奖励。

该黑客新闻线程讨论了Todesktop中的安全漏洞，该服务可帮助开发人员包装和更新电子应用程序。该漏洞使攻击者可以使用使用Todesktop构建的应用程序在系统上执行代码。讨论重点介绍了对自动改建器，代码签名实践以及依靠第三方服务的风险的担忧。电子维护者Felixrieseberg强调了安全自动更新机构的重要性，并建议使用Electron Forge和Azure Trust的签名。几位评论者辩论了自动改建器的必要性和风险，其中一些人争论了更简单，更稳定的软件版本。该线程还涉及开发人员的责任，以确保其软件的安全性以及使其对漏洞负责的潜力。一些用户批评Todesktop的安全实践，并赞美研究人员，他们发现了发出漏洞赏金的漏洞和光标。讨论揭示了人们对现代软件开发的复杂性和安全漏洞的普遍性的更加不安。

（评论） 2025-03-02

无需访问任何网站即可访问任何人的 Arc 浏览器 2024-09-21

我在韩国最大的移动聊天应用程序中发现了一键式漏洞 2024-06-27

针对 PyTorch 的供应链攻击 2024-01-15

900 个站点、1.25 亿个帐户、1 个漏洞 2024-03-19

原文

this started when i was looking into cursor, an ai text editor. also, i use lulu by objective-see on my laptop, so when i downloaded the cursor installer, i got this pop-up:

A LuLu alert, showing that "Install Cursor" was trying to connect to "download.todesktop.com"

now, what the hell is todesktop? i thought i was downloading cursor? well, looking at their website, they seem to be an electron app bundler service alongside providing a SDK for electron apps. so it appears the installer i downloaded is actually managed by todesktop, not cursor.

this made me curious and i made an account on todesktop to look into it, and when i clicked the github login button, i saw my calling: firebase

basic firebase recon

realising the app used firestore (firebase's no-sql database that is often used in frontend), i quickly opened my devtools and began doing basic recon on the firebase.

i realised that the site has sourcemaps, which made searching for all of the firestore paths used in the app even easier (its still easy without sourcemaps, usually)

then i found an insecure collection, temporaryApplications, which seemed to give me an name list of some applications (edit: todesktop has clarified this collection has no sensitive data and hasnt been updated since 2022), but not much other than that, everything seemed secure on the firebase other then this.

i then noticed that most of the deployment and general logic happens in the terminal, with the npm package @todesktop/cli, so i installed that and started looking into it

looking into the todesktop cli

the cli manages deployments, source code uploads, and much more. the website just seems to be a shell to create applications, view deployments, etc etc

i was once again lucky that the cli also had sourcemaps, so i used sourcemapper to extract them into a source tree.

looking in there, i found an arbitrary s3 upload vulnerability via a firebase cloud function called getSignedURL, but i didn't really have an s3 key (file path) to upload to that would do something interesting, so i kept looking.

hijacking the deployment pipeline via a postinstall script

i wanted to get on the machine where the application gets built and the easiest way to do this would be a postinstall script in package.json, so i did that with a simple reverse shell payload

this worked. navigating around the container, i figured out where the actual code-building application lives, and found this:

A screenshot showing a file called "config.json.encrypted"

oh fuck, this usually means something bad. i found the code for decrypting this file, and this is what i got after decrypting it myself:

A file called "config.json", with 2 apple id, remote sign and a hsm's credentials

fuck. this container stores secrets

looking around in the container more, i found a hardcoded firebase admin key (which was full-scoped).

post-exploitation

i quickly realized that with the credentials i have, i could deploy an auto update to any app of my liking, having clients receive it immediately when they restart the app.

i then made some code to use my credentials to deploy an update to my app, and it worked. i immediately got a update on my client and got RCE.

lets talk about impact

with this, i could push auto updates to all applications using todesktop, such as:

clickup (https://clickup.com)
cursor (https://cursor.com) (update: cursor has now switched off of todesktop to their own build system)
linear (https://linear.app)
notion calendar (https://calendar.notion.so)

(please do not harass these companies or make it seem like it's their fault, it's not. it's todesktop's fault if anything)

which, if i were to estimate, is probably in the range of hundreds of millions of people in tech environments, other hackers, programmers, executives, etc. making this exploit deadly if used.

the fix

i immediately used my contacts to get in reach with the owner of todesktop, we were chatting via signal and the fix came almost immediately. they were nice enough to compensate me for my efforts and were very nice in general.

the build container now has a privileged sidecar that does all of the signing, uploading and everything else instead of the main container with user code having that logic.

security incidents happen all the time, its natural. what matters is the company's response, and todesktop's response has been awesome, they were very nice to work with.

check out todesktop's incident report here

for those wondering, in total i got 5k for this vuln, which i dont blame todesktop for because theyre a really small company

update: cursor (one of the affected customers) is giving me 50k USD for my efforts.