research-article

Public Access

Understanding and Mitigating Remote Code Execution Vulnerabilities in Cross-platform Ecosystem

Authors:

Guangliang Yang,

Grant Williams,

Wenke LeeAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 2975 - 2988

https://doi.org/10.1145/3548606.3559340

Published: 07 November 2022 Publication History

Abstract

JavaScript cross-platform frameworks are becoming increasingly popular. They help developers easily and conveniently build cross-platform applications while just needing only one JavaScript codebase. Recent security reports showed several high-profile cross-platform applications (e.g., Slack, Microsoft Teams, and Github Atom) suffered injection issues, which were often introduced by Cross-site Scripting (XSS) or embedded untrusted remote content like ads. These injections open security holes for remote web attackers, and cause serious security risks, such as allowing injected malicious code to run arbitrary local executables in victim devices (referred to as XRCE attacks). However, until now, XRCE vectors and behaviors and the root cause of XRCE were rarely studied and understood. Although the cross-platform framework developers and community responded quickly by offering multiple security features and suggestions, these mitigations were empirically proposed with unknown effectiveness.

In this paper, we conduct the first systematic study of the XRCE vulnerability class in the cross-platform ecosystem. We first build a generic model for different cross-platform applications to reduce their semantic and behavioral gaps. We use this model to (1) study XRCE by comprehensively defining its attack scenarios, surfaces, and behaviors, (2) investigate and study the state-of-the-art defenses, and verify their weakness against XRCE attacks. Our study on 640 real-world cross-platform applications shows, despite the availability of existing defenses, XRCE widely affects the cross-platform ecosystem. 75% of applications may be impacted by XRCE, including Microsoft Teams. (3) Finally, we propose XGuard, a novel defense technology to automatically mitigate all XRCE variants derived from our concluded XRCE behaviors.

References

[1]

2021 OWASP Top 10 vulnerabilities. https://owasp.org/Top10/.

[2]

AngularJs Expression Injection Bypass. https://sites.google.com/site/ bughunteruniversity/nonvuln/angularjs-expression-sandbox-bypass.

[3]

Atom Remote Code Execution. https://statuscode.ch/2017/11/from-markdown-to-rce-in-atom.

[4]

CVE-2021-28119: twinkle-tray arbitrary code execution through unsafe IPC. https: //nvd.nist.gov/vuln/detail/CVE-2021-28119.

[5]

CVE-2021-28154: camunda-modeler arbitrary file access through unsafe IPC. https: //nvd.nist.gov/vuln/detail/CVE-2021-28154.

[6]

CVE-2021-41392: BoostNote arbitrary code execution through unsafe IPC. https: //nvd.nist.gov/vuln/detail/CVE-2021-41392.

[7]

CVE Security Vulnerability Database. https://cve.mitre.org/.

[8]

DEDECMS 5.7 SEARCH.PHP TYPENAME Remote Code Execution. https://vuldb. com/?id.181400.

[9]

Discord remote code execution. https://mksben.l0.cm/2020/10/discord-desktop- rce.html.

[10]

Electron App Store. https://www.electronjs.org/apps.

[11]

Electron (cross-platform framework). https://en.wikipedia.org/wiki/Electron_ (software_framework).

[12]

Electron Node Integration. https://www.electronjs.org/docs/tutorial/security.

[13]

Electron Preload Scripts. https://www.electronjs.org/docs/latest/tutorial/process- model/#preload-scripts.

[14]

Electron React Boilerplate. https://github.com/electron-react-boilerplate/electron- react-boilerplate.

[15]

Electron Security, Native Capabilities, and Your Responsibility. https://www. electronjs.org/docs/latest/tutorial/security.

[16]

Github Atom. https://atom.io/.

[17]

Hackerone Bug Bounty Program. https://www.hackerone.com.

[18]

Huntr Bug Bounty Program. https://huntr.dev.

[19]

Introduce the notion of a "current microtask. https://www.chromium.org/chromium-projects/.

[20]

Introduce the notion of a "current microtask. https://chromium-review. googlesource.com/c/v8/v8//1277505.

[21]

Issue 3943: Disable webview when node integration is off. https://github.com/ electron/electron/issues/3943.

[22]

Issue 4026: Prohibit nodeIntegration from being re-enabled with window.open. https: //github.com/electron/electron/issues/4026.

[23]

JavaScript code coverage. https://v8.dev/blog/javascript-code-coverage.

[24]

Linux AppArmor. https://apparmor.com/.

[25]

Microsoft Teams remote code execution. https://github.com/oskarsve/ms-teams- rce/.

[26]

Neutralinojs (cross-platform framework). https://neutralino.js.org/.

[27]

Neutron Challenge in BSides Ahmedabad CTF 2021. https://blog.s1r1us.ninja/CTF/ bsidesahm2021#h.ymq4241d2kxp.

[28]

NW.js (cross-platform framework). https://nwjs.io.

[29]

NW.js Frames. https://nwjs.readthedocs.io/en/nw13/References/Frames/#iframe.

[30]

Prototype pollution attacks in NodeJS applications. https://www.youtube.com/ watch?v=LUsiFV3dsK8.

[31]

React: A JavaScript library for building user interfaces. https://reactjs.org/.

[32]

React Native (cross-platform framework). https://reactnative.dev/.

[33]

React-nodewebkit Starter. https://github.com/konsumer/react-nodewebkit.

[34]

React starter project for Neutralinojs. https://github.com/Abdulhafiz-Yusuf/ neutralinojs-react.

[35]

Rocket.Chat remote code execution via click event. https://hackerone.com/reports/ 899964.

[36]

Rocket.Chat remote code execution via message attachment. https://hackerone. com/reports/899954.

[37]

Rocket.Chat Remote Code Execution via message attachment. https: //haxx.ml/post/145508617751/hacking-mattermost-2-year-of-nodejs-on-the?is_related_post=1.

[38]

Simplenote remote code execution. https://hackerone.com/reports/291539.

[39]

Skype: A communication tool for free calls and chat. https://www.skype.com/en/.

[40]

Slack: A proprietary business communication platform. https://slack.com/.

[41]

Slack remote code execution. https://hackerone.com/reports/783877/.

[42]

Snyk Vulnerability Database. https://security.snyk.io.

[43]

The State of Vulnerabilities in 2019. https://www.imperva.com/blog/the-state-of- vulnerabilities-in-2019/.

[44]

The State of Web Application Vulnerabilities in 2018. https://www.imperva.com/ blog/the-state-of-web-application-vulnerabilities-in-2018/.

[45]

A study of Electron Security. https://www.blackhat.com/us-17/briefings/schedule/ #electronegativity-a-study-of-electron-security-7320.

[46]

Subverting Electron Apps via Insecure Preload. https://blog.doyensec.com/2019/ 04/03/subverting-electron-apps-via-insecure-preload.html.

[47]

The T. J. Watson Libraries for Analysis (WALA) provide static analysis capabilities for Java bytecode and related languages and for JavaScript. https://github.com/ wala/WALA.

[48]

Teams: A business communication platform developed by Microsoft. https://www. microsoft.com/en-us/microsoft-teams/group-chat-software.

[49]

V8 Context Stack Description. https://source.chromium.org/ chromium/chromium/src//main:v8/src/objects/contexts.h;drc= c0fceaa0669b39136c9e780f278e2596d71b4e8a;l=378.

[50]

V8 Zero-cost Async Stack Trace. https://v8.dev/docs/stack-trace-api#async-stack- traces.

[51]

WhatsApp. https://www.whatsapp.com/.

[52]

WhatsApp Arbitrary File Read. https://www.perimeterx.com/tech-blog/2020/whatsapp-fs-read-vuln-disclosure/.

[53]

Wordpress remote code execution. https://hackerone.com/reports/301458.

[54]

Mohammad M Ahmadpanah, Daniel Hedin, Musard Balliu, Lars Eric Olsson, and Andrei Sabelfeld. Sandtrap: Securing javascript-driven trigger-action platforms. In USENIX Security Symposium (USENIX Security 2021), 2021.

[55]

Joey Allen, Zheng Yang, Matthew Landen, Raghav Bhat, Harsh Grover, Andrew Chang, Yang Ji, Roberto Perdisci, and Wenke Lee. Mnemosyne: An Effective and Efficient Postmortem Watering Hole Attack Investigation System. In Proceedings of the ACM Conference on Computer and Communications Security, pages 787--802. Association for Computing Machinery, 10 2020.

[56]

Quan Chen and Alexandros Kapravelos. Mystique: Uncovering information leakage from browser extensions. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 1687--1700, 2018.

Digital Library

[57]

James C Davis, Eric R Williamson, and Dongyoon Lee. A Sense of Time for JavaScript and Node.js: First-class Timeouts as a Cure for Event Handler Poisoning. In Proceedings of the 27th USENIX Security Symposium (Security), Baltimore, MD, August 2018.

[58]

Sebastian Egger, Peter Reichl, Tobias Hoßfeld, and Raimund Schatz. "time is bandwidth"? narrowing the gap between subjective time perception and quality of experience. In 2012 IEEE international conference on communications (ICC), pages 1325--1330. IEEE, 2012.

[59]

Benjamin Eriksson, Giancarlo Pellegrino, and Andrei Sabelfeld. Black widow: Blackbox data-driven web scanning. In Proceeding of the 42th IEEE Symposium on Security & Privacy, IEEE SP 2021. IEEE, 2021.

[60]

Aurore Fass, Michael Backes, and Ben Stock. HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS), London, UK, November 2019.

[61]

Aurore Fass, Michael Backes, and Ben Stock. Jstap: a static prefilter for mali- cious javascript detection. In Proceedings of the 35th Annual Computer Security Applications Conference, pages 257--269, 2019.

Digital Library

[62]

Aurore Fass, Robert P Krawczyk, Michael Backes, and Ben Stock. Jast: Fully syntactic detection of malicious (obfuscated) javascript. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 303--325. Springer, 2018.

[63]

Aurore Fass, Dolière Francis Somé, Michael Backes, and Ben Stock. Doublex: Statically detecting vulnerable data flows in browser extensions at scale. In ACM CCS, 2021.

Digital Library

[64]

Asger Feldthaus, Max Schäfer, Manu Sridharan, Julian Dolby, and Frank Tip. Efficient construction of approximate call graphs for javascript ide services. In 2013 35th International Conference on Software Engineering (ICSE), pages 752--761. IEEE, 2013.

Digital Library

[65]

Soroush Karami, Panagiotis Ilia, and Jason Polakis. Awakening the web's sleeper agents: Misusing service workers for privacy leakage. In Network and Distributed System Security Symposium (NDSS), 2021.

[66]

Soheil Khodayari and Giancarlo Pellegrino. Jaw: Studying client-side csrf with hybrid property graphs and declarative traversals. In 30th USENIX Security Symposium (USENIX Security 2021). Usenix, 2021.

[67]

Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. Thou shalt not depend on me: Analysing the use of outdated javascript libraries on the web. arXiv preprint arXiv:1811.00918, 2018.

[68]

Sebastian Lekies, Ben Stock, and Martin Johns. 25 Million Flows Later: Large- scale Detection of DOM-based XSS. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, October 2013.

Digital Library

[69]

Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao. Detecting node. js prototype pollution vulnerabilities via object lookup analysis. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 268--279, 2021.

Digital Library

[70]

Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. You are what you include: large-scale evaluation of remote javascript inclusions. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 736--747, 2012.

Digital Library

[71]

OpenJS Foundation. About Node.js. https://nodejs.org/en/about/.

[72]

Nikolaos Pantelaios, Nick Nikiforakis, and Alexandros Kapravelos. You've changed: Detecting malicious browser extensions through their update deltas. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 477--491, 2020.

Digital Library

[73]

Thomas Rokicki, Clémentine Maurice, and Pierre Laperdrix. Sok: In search of lost time: A review of javascript timers in browsers. In 6th IEEE European Symposium on Security and Privacy (EuroS&P'21), 2021.

[74]

Sebastian Roth, Lea Gröber, Michael Backes, Katharina Krombholz, and Ben Stock. 12 angry developers--a qualitative study on developers' struggles with csp. In ACM CCS, 2021.

Digital Library

[75]

Shaown Sarker, Jordan Jueckstock, and Alexandros Kapravelos. Hiding in Plain Site: Detecting JavaScript Obfuscation through Concealed Browser API Usage. In Proceedings of the ACM Internet Measurement Conference (IMC), October 2020.

Digital Library

[76]

Cristian-Alexandru Staicu and Michael Pradel. Freezing the web: A study of redos vulnerabilities in javascript-based web servers. In 27th {USENIX} Security Symposium ({USENIX} Security 18), pages 361--376, 2018.

[77]

Cristian-Alexandru Staicu, Michael Pradel, and Benjamin Livshits. SYNODE: Understanding and Automatically Preventing Injection Attacks on Node.js. In Proceedings of the 2018 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2018.

[78]

Marius Steffens, Christian Rossow, Martin Johns, and Ben Stock. Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild. In Proceedings of the 2019 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, February 2019.

[79]

Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns. Precise Client-side Protection against DOM-based Cross-site Scripting. In Proceedings of the 23rd USENIX Security Symposium (Security), San Diego, CA, August 2014.

[80]

Nikos Vasilakis, Ben Karel, Nick Roessler, Nathan Dautenhahn, André DeHon, and Jonathan M Smith. Breakapp: Automated, flexible application compartmentalization. In NDSS, 2018.

[81]

Nikos Vasilakis, Cristian-Alexandru Staicu, Grigoris Ntousakis, Konstantinos Kallas, Ben Karel, André DeHon, and Michael Pradel. Preventing dynamic library compromise on node. js via rwx-based privilege reduction. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 1821--1838, 2021.

Digital Library

[82]

Feng Xiao, Jianwei Huang, Yichang Xiong, Guangliang Yang, Hong Hu, Guofei Gu, and Wenke Lee. Abusing hidden properties to attack the node.js ecosystem. In 30th USENIX Security Symposium (USENIX Security 21), pages 2951--2968. USENIX Association, August 2021.

Cited By

Mohammadi RHosseini MBahrami R(2025)Uncovering security vulnerabilities through multiplatform malware analysisSecurity and Privacy10.1002/spy2.4558:1Online publication date: 12-Jan-2025
https://dl.acm.org/doi/10.1002/spy2.455
Luo CLi PMeng WZhang CLuo BLiao XXu JKirda ELie D(2024)Test Suites Guided Vulnerability Validation for Node.js ApplicationsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690332(570-584)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690332
Ali ISubba B(2024)VULDetect: A Lightweight Ensemble Based Framework for Automated Software System Vulnerability DetectionTENCON 2024 - 2024 IEEE Region 10 Conference (TENCON)10.1109/TENCON61640.2024.10903038(256-259)Online publication date: 1-Dec-2024
https://doi.org/10.1109/TENCON61640.2024.10903038
Show More Cited By

Index Terms

Understanding and Mitigating Remote Code Execution Vulnerabilities in Cross-platform Ecosystem
1. Security and privacy
  1. Software and application security
    1. Web application security

Recommendations

Native code execution control for attack mitigation on android
SPSM '13: Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices

Sophisticated malware targeting the Android mobile operating system increasingly utilizes local root exploits. These allow for the escalation of privileges and subsequent automatic, unnoticed, and permanent infection of a target device. Poor vendor ...
Mitigating program security vulnerabilities: Approaches and challenges

Programs are implemented in a variety of languages and contain serious vulnerabilities which might be exploited to cause security breaches. These vulnerabilities have been exploited in real life and caused damages to related stakeholders such as program ...
Xamarin Cross Platform Development Cookbook

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
1,587
Total Downloads

Downloads (Last 12 months)858
Downloads (Last 6 weeks)104

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Mohammadi RHosseini MBahrami R(2025)Uncovering security vulnerabilities through multiplatform malware analysisSecurity and Privacy10.1002/spy2.4558:1Online publication date: 12-Jan-2025
https://dl.acm.org/doi/10.1002/spy2.455
Luo CLi PMeng WZhang CLuo BLiao XXu JKirda ELie D(2024)Test Suites Guided Vulnerability Validation for Node.js ApplicationsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690332(570-584)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690332
Ali ISubba B(2024)VULDetect: A Lightweight Ensemble Based Framework for Automated Software System Vulnerability DetectionTENCON 2024 - 2024 IEEE Region 10 Conference (TENCON)10.1109/TENCON61640.2024.10903038(256-259)Online publication date: 1-Dec-2024
https://doi.org/10.1109/TENCON61640.2024.10903038
Xiao FSu ZYang GLee W(2024)Jasmine: Scale up JavaScript Static Security Analysis with Computation-based Semantic Explanation2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00183(296-311)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00183
Feng CAlomari ZWang ZZhang CZakia U(2024)Systemic Implications of CVE-2023-33246 A Closer Look at Remote Code Exploitation Mechanisms2024 15th International Conference on Information and Communication Systems (ICICS)10.1109/ICICS63486.2024.10638289(1-6)Online publication date: 13-Aug-2024
https://doi.org/10.1109/ICICS63486.2024.10638289
Gupta DElluri LJain AMoni SAslan O(2024)Blockchain-Enhanced Framework for Secure Third-Party Vendor Risk Management and Vigilant Security Controls2024 IEEE International Conference on Big Data (BigData)10.1109/BigData62323.2024.10825025(5577-5584)Online publication date: 15-Dec-2024
https://doi.org/10.1109/BigData62323.2024.10825025
Han XZhang YZhang XChen ZWang MZhang YMa SYu YBertino ELi JCalandrino JTroncoso C(2023)Medusa attackProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620495(4607-4624)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620495
Zhang ZZhang ZLian KYang GZhang LZhang YYang MLin ZLiao X(2023)TrustedDomain Compromise Attack in App-in-app EcosystemsProceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps10.1145/3605762.3624430(51-57)Online publication date: 26-Nov-2023
https://dl.acm.org/doi/10.1145/3605762.3624430

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten