Advisory Type |
Vulnerability Report |
Application |
Discord Chat |
Vulnerability |
Remote Code Execution (RCE) Chain |
The RCE vulnerability found in the VoIP, chatting platform Discord is exploited by chaining 3 vulnerabilities in Electron JS:
Electron is an open source JavaScript framework used to develop the Graphical User Interface (GUI) of Discord. Since Discord has disabled contextisolation in its Electron code, any webpage JavaScript can tinker with the execution of Electron’s internal JS code leading to an RCE attack.[/vc_wp_text][vc_wp_text]
The adversary exploits the XSS vulnerability in Discord’s ‘iframe embeds’ feature, to execute the JS code. For example: ‘iframe embeds’ automatically displays the video player on the Discord platform when one posts a YouTube URL. By exploiting the XSS vulnerability, the attacker executes arbitrary JS code in the browser.
As a final step in the chaining process, a navigation restriction bypass – CVE-2020-15174 – is exploited to achieve RCE. Since Electron does not support Java code to be executed within the iframe, the attacker needs to leave the iframe and execute the JavaScript in a top-level browsing context. This requires opening a new window from the iframe, or navigating the top window to another URL from the iframe. As Discord has disabled Electron’s contextisolation, the Java code is executed by the application itself achieving RCE, thus compromising the user’s host environment.[/vc_wp_text][vc_wp_text]
[/vc_wp_text][vc_wp_text]
All security issues have been patched by the Electron’s security team, few specifics are provided below: