Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneVultzaH1:1685979
HistoryAug 31, 2022 - 12:41 a.m.

Mattermost: DoS via Playbook

2022-08-3100:41:40
vultza
hackerone.com
5
mattermost
dos attack
playbook
payload
api endpoint
authentication token
server crash
bug bounty

0.001 Low

EPSS

Percentile

35.0%

JSON

Summary:

A normal user can create a playbook, that has some attributes like the run_summary_template, retrospective_template and description,that don’t have any size check or validation, which allows an attacker to set an unlimited number of characters as their values.

In a production environment is possible to set up to 50MB of data, due to the default nginx configuration, as the run_summary_template value. The creation of the playbook for itself is not sufficient to trigger an DoS attack in the application, but once this playbook is executed(run) the server starts to consume a large amount of computing resources, which causes to the server to stop responding to users requests and ultimately leads to server crash.

This attack is even worst because after the application is restarted, its not possible to the user who created the playbook run to finish its execution via the Web Portal, because both the channel created by the playbook run, and the run dedicated management page, don’t properly load, showing only a blank screen.

Steps To Reproduce:

  1. Log in as a normal user in the platform.
  2. Grab the user MMAUTHTOKEN authentication token.
  3. Generate the playbook payload, that contains 50000000(50MB) characters as the run_summary_template attribute value. Use F1893243
  4. Send the following POST request to the plugins/playbooks/api/v0/playbooks API endpoint:
curl -X POST "http://<domain>/plugins/playbooks/api/v0/playbooks" -H 'Content-Type: application/json' -d @payload --cookie "MMAUTHTOKEN=<user-auth-token>" -H "X-CSRF-TOKEN: <csrf-token>"
  1. Go to the playbooks page, and click on the newly created playbook.
  2. Click in the “Run” button and then set an name for the run.
  3. After the run is initiated, the server will start to consume an abnormal quantity of computing resources, and crashes after some seconds.
  4. The application becomes unavailable for all its users.

Supporting Material/References:

  • PoC Video
    {F1893242}

Impact

A user can cause a full denial of service attack in the application server, making the application server unavailable to all its users.

Related

nvd 1
prion 1
veracode 1
cve 1
cvelist 1
nessus 1
nvd
nvd
CVE-2022-4019
2022-11-23 06:15:09
prion
prion
Denial of service
2022-11-23 06:15:00
veracode
veracode
Denial Of Service (DoS)
2023-11-10 08:16:45
cve
cve
CVE-2022-4019
2022-11-23 06:15:09
cvelist
cvelist
CVE-2022-4019 Authenticated user could send multiple requests containing a large payload to a Playbooks API and can crash a Mattermost server
2022-11-23 05:32:15
nessus
nessus
Mattermost Server < 7.1.4 / 7.2.x < 7.2.1 / 7.3.x < 7.3.1 DoS (MMSA-2022-00118)
2022-12-02 00:00:00

0.001 Low

EPSS

Percentile

35.0%

JSON
Related for H1:1685979
nvd1prion1veracode1cve1cvelist1nessus1