Erik HeimdalEH
BlogResuméProjects

Digiexam

2 minute read

DigiExam is a digital examination tool designed to provide teachers and students with a secure testing environment. It works by closing all user programs when the exam starts. It also monitors and flags suspicious activity, locking the exam and informing the teacher if any is detected. It was built with Electron, likely for compatability across Linux, Mac, and Windows. The methods described here are tested on Windows and may or may not work for other systems.

Tools Used

  • Node.js: Primary programming language.
  • Asar addon for 7zip: Used for extracting the source code.

Exploits

"External" Method

DigiExam attempts to shut down non-essential programs during an examination. However, newly launched programs can run for around 1 second before being killed, and DigiExam does not lock down the exam upon detecting this. This leads to two challenges:

  1. Executing a Custom Script with DigiExam Active: This can be achieved by either using a service that initiates your script via the Windows Task Scheduler or by substituting utilman.exe with your script, activated by pressing the shift key five times consecutively. I chose the later one as it allows me to start the programs myself whenever I found it appropriate.

  2. Interacting with DigiExam via the Script: After being able to run arbitrary programs we still need to figure out how to enter data into the exam. I chose to emulate keystrokes through the Windows API, thereby simulating user input. The script can input around 20 characters per second reliably. For long texts this would require the user to spam the shift keys for long periods of time (to reactivate utilman.exe every second). Not ideal, but works as a proof-of-concept.

This method enables copy/pasting functionality, which might or might not be of help depending on if the text can be prepared in advance. We had a few such exams we could prepare for in highschool, but in uni i have never experienced this.

"Internal" Method

This approach requires modifying DigiExam's source code directly. By extracting the app.asar file located in C:\Users\[username]\AppData\Local\DigiExam\app-[version_number]\resources\, you gain access to the source code. Electron prioritizes loading files from an extracted \app folder over \app.asar, allowing for direct source code modifications without needing to reconvert to .asar. Although the JavaScript files were obfuscated, making direct edits challenging, it was still possible to inject new code.

You can get arbitrary code execution simply by writing your own JavaScript in the source files at the top, regardless if the rest of the file is heavly obfuscated. Below is an example of an obfuscated hello world message for reference.

(function(_0xb674a2,_0xf6f2b0){var _0x3657d6=_0x2f00,_0x2f6592=_0xb674a2();
while(!![]){try{var _0x47950d=-parseInt(_0x3657d6(0x147))/0x1+-parseInt(_0x3657d6(0x14e))/0x2+parseInt(_0x3657d6(0x150))/0x3+-parseInt(_0x3657d6(0x146))/0x4*(parseInt(_0x3657d6(0x14f))/0x5)+parseInt(_0x3657d6(0x14d))/0x6*(parseInt(_0x3657d6(0x148))/0x7)+-parseInt(_0x3657d6(0x145))/0x8+-parseInt(_0x3657d6(0x14b))/0x9*(-parseInt(_0x3657d6(0x14c))/0xa);
if(_0x47950d===_0xf6f2b0)break;else _0x2f6592['push'](_0x2f6592['shift']());}
catch(_0xf66cdc){_0x2f6592['push'](_0x2f6592['shift']());}}}(_0x26ec,0x2ee31));function _0x26ec()
{var _0x1fc1c4=['741220IOvDjD','133632eoTArF','313138INaJlU','115UOdpqX','763920fKIrMC','2031768fGcDMz','432nGWCWX','109619eKHtgv','98HPItyJ','log','Hello\x20World!','18jhNnOC'];
_0x26ec=function(){return _0x1fc1c4;};return _0x26ec();}function _0x2f00(_0x3f5c0f,_0x50fdaa){var _0x26ecf0=_0x26ec();
return _0x2f00=function(_0x2f0008,_0x4881ee){_0x2f0008=_0x2f0008-0x145;var _0x43644d=_0x26ecf0[_0x2f0008];return _0x43644d;},_0x2f00(_0x3f5c0f,_0x50fdaa);}
function hi(){var _0x59e545=_0x2f00;console[_0x59e545(0x149)](_0x59e545(0x14a));}
hi();

I was able to link a keyboard shortcut (ctrl-b) to the toggling of an iframe displaying google.com (or any arbitrary website), enabling website access during exams. However, when I tried to open a real exam I found that DigiExam verifies the integrity of its code through file signature comparisons, detecting any changes I had made to the source files.

Unforturnetly for DigiExam, this verification occurs only at the exam's start, not when DigiExam is launched. Therefore, it's possible to use the modified DigiExam version at startup, then quickly switching to the original script after launch by moving the whole DigiExam folder. That way, we load the custom version (with arbitrary modifications by us) without verification, and when we try to start the exam the client will incorrectly look at the real source code which passes the test.