Attacker can abuse slack/mattermost integrations to execute slash commands as another user
HackerOne report #2188868 by yvvdwf
on 2023-10-01, assigned to H1 Triage
:
Report | Attachments | How To Reproduce
Report
Hello,
I found a vulnerability in slash command integration (either slack or mattermost). It allows attackers to execute any slash commands, including exection the ChatOps jobs, as victims.
Before executing a slash command, Gitlab will:
- 1. verify whether the given token is the same as the one in the integration setting
-
2. identify the current user via
team_id
anduser_id
parameters
The vulnerability is at the non-correlation between [1] and [2]. Consequently attackers can impersonate another user when knowing his/her team_id
and user_id
in a Slack (or Mattermost) workspace.
Steps to reproduce on gitlab.com
- As Victim:
- On an existing project, or create a new one, (note its name, e.g.,
victim/project-a
) follow the steps to integrate Slack from project integration settings by creating a new Slack workspace - Test the integration by sending a message in Slack to create a new issue:
/gitlab victim/project-a issue new issue-title
- Invite attacker to the Slack workspace which has been used in the integration above
- As Attacker:
- Join to the invited Slack workspace using Web browser, then view victim's profile
- From the URL of the victim's profile, copy
team_id
(which started byT
, e.g.,T05TGJXXXX
) anduser_id
(which started byU
, e.g.,U05TX1JXXXX
)
- Create a new project, then add
.gitlab-ci.yml
file as the following:
test:
script:
- echo hi ${GITLAB_USER_LOGIN}
- echo run $CHAT_INPUT
- bash -xc "$CHAT_INPUT"
-
Add the victim to the project's members as
Maintainer
-
Then go to
Settings/Integrations/Mattermost slash commands
and fill the form:-
Active
: checked -
Token
:abcdef
- Click
Save changes
-
-
Note the ID of the project above, e.g.,
11111111
-
Open a terminal, execute the following command after replacing your project ID,
team_id
anduser_id
:
curl -X POST https://gitlab.com/api/v4/projects/11111111/services/mattermost_slash_commands/trigger --data 'token=abcdef&user_id=U05TX1JXXXX&team_id=T05TGJXXXX&text=run test date'
- Go to
Build/Pipelines
you should see a new pipeline which was triggered asvictim
Impacts
The vulnerability allows attackers to execute as victims any slash commands, such as, execute the ChatOps jobs, deploy from an environment to another environment, create a new issue/comment (thus execute any quick action ).
Consequently, I think that the impact should be at least the same as CVE-2023-5207 or CVE-2023-5207, unless the attack complex
vector should be Low
as any member in a Slack integration workspace of a project can view team_id
and user_id
of victim. Furthermore, since team_id
and user_id
are not confidential information, then they can be easily leaked, e.g., by quickly searching on Gitlab.com, I found some:
Team id: T02592416
Team id: T03TQEUUA49
Thank you!
Impact
The vulnerability allows attackers to execute as victims any slash commands, such as, execute the ChatOps jobs, deploy from an environment to another environment, create a new issue/comment (thus execute any quick action ).
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: