Since Microsoft considered this "intended functionality," please enjoy this Electron app abuse of Teams (and others):
Conversation
I just don't see why it's particularly bad, if you can already write an arbitrary file in the user profile you can already change update.exe to whatever malware, or use countless other paths to code execution. Is there a way to exploit the "issue" without profile file write?
1
2
The ability to compromise an app in one way does not negate the danger of other compromises.
As a threat hunter, my concern is not just the technical possibility, but ways in which malicious activity can go unnoticed on the endpoint. This is a way to hide, hence the callout.
1
1
5
You may want to insist more in the writing about it being a clever way to persist unnoticed, it reads as a vulnerability and IMHO, it's not.
1
Given that this vector enables an attacker to not only execute malware via the child_process mechanism (and edge.js as noted), but also inject JS into the UI of an app, I find it distinct enough to describe it as I have.
1
2
.. it isn't really? you just "discovered" that asar files are executables and not signed. It's like "discovering" that the .py files next to python.exe in a python app are code and unsigned. That you can also run python code that isn't just spawining a subprocess isn't special.