Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/31/2020
05:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Slack Patches Critical Desktop Vulnerability

The remote code execution flaw could allow a successful attacker to fully control the Slack desktop app on a target machine.

Slack has patched a critical remote code execution vulnerability that could enable an attacker to execute arbitrary code in the desktop version of its collaboration software, researchers report.

Oskars Vegeris, a security engineer at Evolution Gaming, discovered the flaw and privately shared it with Slack in January 2020 through HackerOne. The vulnerability has a CVSS score between 9 and 10 and could allow an attacker to take over the Slack desktop application.

With a successful exploit, an attacker could gain access to private keys, passwords, secrets, files, and conversations within Slack. Depending on the configuration of Slack on a target device, they could also gain access to the internal network and explore the environment.

Related Content:

Vulnerability Volume Poised to Overwhelm Infosec Teams

ICS Vulnerability Reports Rapidly Rise

"With any in-app redirect - logic/open redirect, HTML or javascript injection it's possible to execute arbitrary code within Slack desktop apps," Vegeris explains in a report, which details an exploit consisting of an HTML injection, security control bypass, and RCE JavaScript payload.

The exploit was tested and working on the latest versions of Slack for desktop (4.2 and 4.3.2) on Mac, Windows, and Linux, he adds. Slack issued an initial fix for the vulnerability in February; it was disclosed via HackerOne on Aug. 31.

This issue exists in the way Slack posts are made, Vegeris says. Attackers would first need to upload a file containing the RCE payload on their own HTTPS-enabled server. They would then make a new Slack post, which creates a new file on https://files.slack.com with a specific JSON structure. It is possible for them to directly edit this JSON structure and add arbitrary HTML.

JavaScript execution is restricted by Slack's Content Security Policy (CSP), Vegeris notes, and there are security protections for certain HTML tags. For example, "iframe," "applet," "meta," "script," and "form" are all banned, and "target" attribute is overwritten to _blank for A tags.

However, he found it's still possible to inject area and map tags, which can be used to achieve one-click remote code execution. An attacker could edit the JSON structure and inject malicious code using the web user interface that Slack provides, Vegeris says. The payload can be altered to access private conversations, files, and tokens without executing new commands on the victim device.

All a user has to do is click the malicious post shared via Slack, and the code is executed on their PC. The HTML redirects the user's desktop app to the attacker's website, which replies with RCE JavaScript. The exploit bypasses Slack desktop app env, leaks an Electron object, and executes arbitrary commands on the target device, he explains.

"Essentially, this gives an attacker full remote control over the Slack desktop app via overwriting Slack desktop app env functions and providing a 'tunnel' via BrowserWindow to execute arbitrary Javascript, i.e. a weird XSS case with full access to anything the Slack app has - easy access to private channels, conversations, functions etc.," Vegeris writes.

The RCE in Slack desktop apps could also be made "wormable," meaning it could repost to all user workspaces after it's clicked.

The researcher also found emails sent in plaintext are stored unfiltered on Slack servers at https://files.slack.com. With direct access, he explains, they are returned as text/HTML without force-download. He says this functionality could let an attacker store the RCE payload without their own hosting.

"Since it's a trusted domain, it could contain a phishing page with a fake Slack login page or different arbitrary content which could impact both security and reputation of Slack," he says, noting he did not spot any security headers or other restrictions. 

Slack users are urged to update their desktop applications to version 4.4 to patch the flaw.

The Value of Security Research
Slack, a company worth $20 billion, paid Vegeris only $1,750 for the RCE vulnerability through its bug bounty program. It also published a blog post about the flaw in February and neglected to mention Vegeris' work, for which the company recently issued an apology.

Members of the security community voiced their disappointment in a payout that seemed to fall short given the amount of time and effort Vegeris put into his writeup and disclosure, as well as the severity of this flaw in a collaboration platform that global organizations use for sensitive discussions across all parts of the business: infosec, design, mergers, and so forth.

Daniel Cuthbert, security expert and coauthor of the OWASP ASVS standard, posted a Twitter thread calling on Slack "to pay properly" for vulnerability research. Exploits like this could sell for far more than $1,750 if marketed on the Dark Web, he noted. If another researcher had discovered the vulnerability first, Slack may not have had the chance to patch it in time.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.