Rock.chat: lucke allowed remote code execution through praparied news

Rocket.chat: Lucke allowed Remote Code Execution through Praparierte News

Administrators and private individuals, on their servers or client machines the chat platform rocket.Chat run, an update should be carried out promptly. The current server (and probably also desktop) versions concludes a safety chute, the attackers in the web-based chat for cross-site scripting attacks, but from the desktop app, however, could also abuse the export of any code from afar.

While the attack works only under certain conditions and requires a user interaction in the chat. In view of an existing detailed proof-of-concept description, the update is still advisable. Are hedged the server versions 3.4.3 and 3.5.0. The come from the end of july; however, the rocket has.Chat team users so far not pointed to the existing danger.

Exploit via predatory message

Details allow the explorers of the cheek in a blog entry to cve-2020-15926. Accordingly, an attacker first had to successfully with an existing account on a vulnerable rocket.Authenticate chat server. In the chat he can then news in the form

Send, thanks to the lucke not as text, but actually interpreted as a code.

For (local) execution, this code comes as soon as another chat user clicks on the speech bubble icon for direct answers or start a thread. In the context of the web browser, attackers had approximately authentication / access tokens.

Rocket.chat: Lucke allowed Remote Code Execution through Praparierte News

But beyond such cross-site scripting, however, the lucker discoverers also found a possibility to carry out any code outside the browser on systems of chat users. For this purpose, a user had to open a corresponding praarized message in the rocket chat desktop app. Further details are explored the researchers in the blog entry as well as in the poc video.

Remote code execution (in the form of a calculator call) in the video. To trigger the exploit, the message-receiver must click on the icon for direct answers.

Velocable and secured versions

The researchers successfully have their poc code with the server client version combinations 3.4.0/2.7.9 and 3.4.0/2.7.10 tested, but ame that even more early versions are vulnerable. The required update steps on the safe server versions 3.4.3 and 3.5.0 explains the rocket.Chat documentation. Details about the releases are the rocket.To remove chat release notes at github.

From the blog entry to the safety chuck with the cve id cve-2020-15926 does not clearly indicate whether the attackability of the desktop app is only dependent on the rocket chat version that runs on the remote server. An additional update of the client version can not hurt anyway: currently is the client version 2.17.11. Download information for windows, macos and linux also delivers the rocket.Chat documentation.