[GH-ISSUE #4011] A local attacker can bypass the password on application startup by modifying the configuration file. #2776

New issue

Open

opened 2026-02-27 00:54:13 +03:00 by kerem · 2 comments

kerem commented

2026-02-27 00:54:13 +03:00

Owner

Originally created by @mbzik on GitHub (Aug 1, 2025).
Original GitHub issue: https://github.com/electerm/electerm/issues/4011

Electerm Version and download file extension(Electerm版本和下载文件后缀)

electerm-1.91.1-win-x64-portable.tar.gz

Platform detail (平台详情)

Microsoft Windows NT 10.0.22631.0 x64

What steps will reproduce the bug?(重现问题的详细步骤)

Exploitation Method:
The victim sets a password to access the software, then closes the application.

The attacker modifies the file %AppData%\electerm\users\default_user\electerm.data.nedb, replacing the values of salt and hashedPassword with "" (empty strings).

The attacker launches the connection manager.

Impact:
Access to the connection manager is obtained, bypassing the password on startup.

What should have happened?(期望的结果)

Encrypt files that contain sensitive/confidential information using the user's password.

Would this happen in other terminal app(是否能够在其他同类软件重现这个问题)

No response

Additional information(其他任何相关信息)

No response

Originally created by @mbzik on GitHub (Aug 1, 2025). Original GitHub issue: https://github.com/electerm/electerm/issues/4011 ### Electerm Version and download file extension(Electerm版本和下载文件后缀) electerm-1.91.1-win-x64-portable.tar.gz ### Platform detail (平台详情) Microsoft Windows NT 10.0.22631.0 x64 ### What steps will reproduce the bug?(重现问题的详细步骤) Exploitation Method: The victim sets a password to access the software, then closes the application. The attacker modifies the file %AppData%\electerm\users\default_user\electerm.data.nedb, replacing the values of salt and hashedPassword with "" (empty strings). The attacker launches the connection manager. Impact: Access to the connection manager is obtained, bypassing the password on startup. ### What should have happened?(期望的结果) Encrypt files that contain sensitive/confidential information using the user's password. ### Would this happen in other terminal app(是否能够在其他同类软件重现这个问题) _No response_ ### Additional information(其他任何相关信息) _No response_

kerem added the

need investigate

label

2026-02-27 00:54:13 +03:00

kerem commented

2026-02-27 00:54:13 +03:00

Author

Owner

@zxdong262 commented on GitHub (Aug 2, 2025):

Think about this, if attacker can access your computer, why not just get private keys from ~/.ssh, so do you think store private key in .ssh is dangerous?

@zxdong262 commented on GitHub (Aug 2, 2025): Think about this, if attacker can access your computer, why not just get private keys from ~/.ssh, so do you think store private key in .ssh is dangerous?

kerem commented

2026-02-27 00:54:13 +03:00

Author

Owner

@mbzik commented on GitHub (Aug 6, 2025):

I assumed that after saving the key in Electerm, it could be deleted from other locations, making Electerm not just an SSH client but also a secure credential storage system. On the other hand, if an attacker gains access to the computer, the keys would be just a small part of what they could steal.

@mbzik commented on GitHub (Aug 6, 2025): I assumed that after saving the key in Electerm, it could be deleted from other locations, making Electerm not just an SSH client but also a secure credential storage system. On the other hand, if an attacker gains access to the computer, the keys would be just a small part of what they could steal.