First things first, if you use Mattermost Desktop and aren't already on 4.2.0, you should update immediately.
What a way to end a Monday.
Discovery
Jeff Ziegener and Scott Payne first discovered this while trying to set the profile image for an integration to a UNC path. They discovered that when the integration would post a message, it would open the image at the specified UNC path... in Windows Photo Viewer! After some further digging, we discovered this wasn't limited to just photos. We could open any executable the user had access to on a remote share. We could also make users visit arbitrary web pages in their default browser by setting the integration profile picture to a UNC path to a shortcut. For example, sending the following payload to an incoming webhook produces this result:
{
"text": "Windows Photo Viewer",
"username": "Windows Photo Viewer",
"icon_url": "\\\\some-server\\some-share\\tux.png"
}
Investigation
Further digging indicated that even though UNC Paths to localhost / 127.0.0.1 were blocked, we could open local executables if we knew the machine name of the target user and they had administrative shares enabled. For example, if my machine name is win-01234, I could open a local instance of calc.exe by linking to \\win-01234\c$\windows\system32\calc.exe:
{
"text": "Calculator!",
"username": "calc.exe",
"icon_url": "\\\\win-01234\\c$\\windows\\system32\\calc.exe"
}
Even better, every time you re-render the channel, it'll open all image links that were rendered:
After reporting the bug to mattermost, we discovered that we could reproduce the bug by simply sending a message with a link or an image with a UNC path. Mattermost Desktop will open the link with the default application when clicked, or automaticially when the channel is rendered for image links. This means I can post the following message:
And mattermost will happily execute the program at that path!
Want to rick-roll everyone in a channel? Make a shortcut people can access:
Details
Versions of the Desktop application prior to 4.2.0 contain a vulnerability in the way certain image links are handled. Given a profile picture or image link with a non-http protocol, if the host segment of the URL doesn't match the regular expression ^localhost$|^127\.0\.0\.1$|^\[::1\]$, the URL is then passed to electron's shell.openExternal(...):
Open the given external protocol URL in the desktop's default manner. (For example, mailto: URLs in the user's default mail agent).
This functionality was removed in c86182.
Disclosure Timeline
- 2018-10-22: Issue initially discovered by Jeff Ziegener and Scott Payne at Hyland Software
- 2018-10-23: Issue disclosed to Mattermost per the Responsible Discolsure Policy
- 2018-10-24: Issue confirmed by Mattermost
- 2018-10-28: Fix merged to
master - 2018-11-27: Mattermost Desktop 4.2.0 released with the fix
- 2019-01-02: Vulnerability details released by Mattermost
- 2019-01-07: Writeup published
Top comments (0)