Rocket.Chat Client-side Remote Code Execution

We discussed this vulnerability as part of our weekly podcast on 11 January 2022

Rocket.Chat will open links to the same domain within the main application window, with the abilitry to upload files an attacker can run Javascript and gain RCE (thanks to nodeIntegration being enabled).

Rocket.Chat will add a _blank target to all links by default, but when the link is to the same domain as the rocket chat application, this is not used. It is also possible for a user to upload arbitrary files, these files are uploaded to S3, and a link is generated that is on the same domain that will redirect to the S3 location. By chaining these two issues an attacker can upload an arbitrary HTML file, have a same-domain link generated for it which will result in the link, once clicked being navigated to and javascript executed inside the electron browser. Since nodeIntegration in enabled, Javascript execution results in easy command execution on the client’s machine.