{"id": "H1:470637", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Slack: User-assisted RCE in Slack for macOS (from official site) due to improper quarantine meta-attribute handling for downloaded files", "description": "## Summary\n\n### **GateKeeper/Quarantine bypass for downloaded files**\n\nLack of `com.apple.quarantine` meta-attribute for downloaded files allows a remote attacker to send an executable file that won't be checked by Gatekeeper .\n\n### File opening **doesn't trigger native alerts** from GateKeeper/Quarantine\n\n> Downloaded executable files lack `com.apple.quarantine` meta-attribute => no alerts about launching an executable from the web will appear.\n\n### Code execution after opening\n\nOpening a downloaded `.terminal` file in Slack via \"Shift + Click\" (or in Finder) immediately leads to running attacker's code on a target device.\n\n### `.terminal` file\n\n1. Opening leads to command execution.\n2. Looks safe - XML file.\n3. Downloaded `.terminal` file **couldn't be opened** if application sets quarantine meta-attribute properly. However, Slack (Direct Download) doesn't do that.\n\n## Attack scenario\n\n1. Attacker sends `exploit.terminal` to the victim. File looks like a plaintext file in preview.\n2. Victim opens `exploit.terminal` file via \"Shift + Click\" (or via Finder)\n3. No alert from Gatekeeper about unsigned executable\n4. No alert about running executable file downloaded from the web\n5. Shell commands from `exploit.terminal` get executed with user-level privileges.\n\n## Version\n\nDecribed scenario is reproducible in Slack 3.3.3 Direct Download.\nSlack from AppStore has correct quarantine rules and isn't vulnerable.\n\n## Additional details\n\n`exploit.terminal` attached + Screencast attached.\n\n### Quarantine\nmacOS is build in such way that OS will ask user before opening any downloaded and potentially launchable (in default setup) files. This rule applies to `.terminal` files too.\n\n### TL;DR: \n- no quarantine -> `exploit.terminal` is launchable in 1 click without warning a user with popups\n- quarantine -> no immediate launch for all files (2 popups) + no RCE is possible if GateKeeper level set to \"AppStore only\"\n\n## Impact\n\n## Impact\n\nAttacker could send a crafted `.terminal` file to the victim, which will be executed immediately after opening this file via \"Open\" button or in Finder. \n\nThe attack scenario requires a certain level of user interaction. \nBut the file looks safe and the victim doesn't expect that it'll be launched immediately\n\n### Additional Impact\n\nGateKeeper bypass allows running arbitrary apps in environments hardened with Gatekeeper settings set to \"AppStore only\".", "published": "2018-12-21T16:40:13", "modified": "2019-09-14T22:28:54", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/470637", "reporter": "metnew", "references": [], "cvelist": [], "lastseen": "2019-09-14T22:32:53", "viewCount": 5, "enchantments": {"dependencies": {"references": [], "modified": "2019-09-14T22:32:53", "rev": 2}, "score": {"value": 2.6, "vector": "NONE", "modified": "2019-09-14T22:32:53", "rev": 2}, "vulnersScore": 2.6}, "bounty": 750.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/slack", "handle": "slack", "profile_picture_urls": {"small": "https://hackerone.com/rails/active_storage/representations/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBaDNlIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--e9ad0ee8efe5843b048b89eada59f5a884a4434a/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCam9VWTI5dFltbHVaVjl2Y0hScGIyNXpld2c2REdkeVlYWnBkSGxKSWd0RFpXNTBaWElHT2daRlZEb0xjbVZ6YVhwbFNTSUxOako0TmpKZUJqc0hWRG9KWTNKdmNFa2lEall5ZURZeUt6QXJNQVk3QjFRPSIsImV4cCI6bnVsbCwicHVyIjoidmFyaWF0aW9uIn19--c38a870d322217b0422c840e7586b68994be38b4/slack2.png", "medium": "https://hackerone.com/rails/active_storage/representations/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBaDNlIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--e9ad0ee8efe5843b048b89eada59f5a884a4434a/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCam9VWTI5dFltbHVaVjl2Y0hScGIyNXpld2c2REdkeVlYWnBkSGxKSWd0RFpXNTBaWElHT2daRlZEb0xjbVZ6YVhwbFNTSUxPREo0T0RKZUJqc0hWRG9KWTNKdmNFa2lEamd5ZURneUt6QXJNQVk3QjFRPSIsImV4cCI6bnVsbCwicHVyIjoidmFyaWF0aW9uIn19--0e71f6791faebe1c35f4452bd21d67fb6decfbc2/slack2.png"}}, "h1reporter": {"disabled": false, "username": "metnew", "url": "/metnew", "profile_picture_urls": {"small": "https://hackerone.com/rails/active_storage/representations/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBbVFXIiwiZXhwIjpudWxsLCJwdXIiOiJibG9iX2lkIn19--ed817d0836520dcfa240954e3d5cb798e240fef2/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDdCam9VWTI5dFltbHVaVjl2Y0hScGIyNXpld2c2REdkeVlYWnBkSGxKSWd0RFpXNTBaWElHT2daRlZEb0xjbVZ6YVhwbFNTSUxOako0TmpKZUJqc0hWRG9KWTNKdmNFa2lEall5ZURZeUt6QXJNQVk3QjFRPSIsImV4cCI6bnVsbCwicHVyIjoidmFyaWF0aW9uIn19--c38a870d322217b0422c840e7586b68994be38b4/me.jpeg"}, "is_me?": false, "hackerone_triager": false, "hacker_mediation": false}, "immutableFields": []}

{}