Giters

louiselalanne / CVE-2023-49314

Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and enableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2023-49314

Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and enableNodeCliInspectArguments, and thus electroniz3r can be used to perform an attack.

Captura de Tela 2023-11-27 às 20 07 12

There is a tool designed to automate the process of searching for vulnerabilities in electron: https://github.com/r3ggi/electroniz3r

  • We'll check if the application is vulnerable:

Captura de Tela 2023-11-27 às 19 56 55

  • Now we can inject a bind shell:

Captura de Tela 2023-11-27 às 19 59 19

  • And we got our shell

Captura de Tela 2023-11-27 às 19 59 59

About

Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and enableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.