GitKraken Desktop Code Injection Vulnerability

A code injection vulnerability has been identified in GitKraken Desktop versions 10.8.0 and 11.1.0. This issue arises from misconfigured Electron fuses, specifically with 'runAsNode' enabled and 'enableNodeCliInspectArguments' not disabled. These settings allow the application to run in Node.js mode, where attackers can pass arguments that lead to arbitrary code execution.

Impact

Exploitation of this vulnerability allows for arbitrary code execution within the context of the affected Electron application, inheriting any permissions granted to the application by macOS's Transparency, Consent, and Control (TCC) system. This could include access to sensitive data, such as the user's address book, depending on the application's permissions.

Reproduction

To reproduce this vulnerability, verify that the target GitKraken Desktop application is running a vulnerable version. The 'runAsNode' and 'enableNodeCliInspectArguments' fuses must be enabled, which is the default for all released versions of Electron. Once these conditions are met, the vulnerability can be exploited by injecting code into the application using a tool like 'electroniz3r', which can execute arbitrary JavaScript in the context of the Electron app.

Remediation

Users can mitigate this vulnerability by updating to GitKraken Desktop version 11.2.1, where the issue has been addressed. Additionally, Electron applications can disable the 'runAsNode' fuse to enhance security, although this may require adjustments in how the application handles Node.js processes.