Rocket.Chat Client-side Remote Code Execution
Rocket.Chat will open links to the same domain within the main application window, with the abilitry to upload files an attacker can run Javascript and gain RCE (thanks to nodeIntegration
being enabled).
Rocket.Chat will add a _blank
target to all links by default, but when the link is to the same domain as the rocket chat application, this is not used. It is also possible for a user to upload arbitrary files, these files are uploaded to S3, and a link is generated that is on the same domain that will redirect to the S3 location. By chaining these two issues an attacker can upload an arbitrary HTML file, have a same-domain link generated for it which will result in the link, once clicked being navigated to and javascript executed inside the electron browser. Since nodeIntegration
in enabled, Javascript execution results in easy command execution on the client’s machine.