Attacker can abuse slack/mattermost integrations to execute slash commands as another user

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2188868 by yvvdwf on 2023-10-01, assigned to H1 Triage:

Report | Attachments | How To Reproduce

Report

Hello,

I found a vulnerability in slash command integration (either slack or mattermost). It allows attackers to execute any slash commands, including exection the ChatOps jobs, as victims.

Before executing a slash command, Gitlab will:

• 1. verify whether the given token is the same as the one in the integration setting
• 2. identify the current user via team_id and user_id parameters

The vulnerability is at the non-correlation between [1] and [2]. Consequently attackers can impersonate another user when knowing his/her team_id and user_id in a Slack (or Mattermost) workspace.

Steps to reproduce on gitlab.com

1. As Victim:

• On an existing project, or create a new one, (note its name, e.g., victim/project-a) follow the steps to integrate Slack from project integration settings by creating a new Slack workspace
• Test the integration by sending a message in Slack to create a new issue: /gitlab victim/project-a issue new issue-title
• Invite attacker to the Slack workspace which has been used in the integration above

2. As Attacker:

• Join to the invited Slack workspace using Web browser, then view victim's profile
• From the URL of the victim's profile, copy team_id (which started by T, e.g., T05TGJXXXX) and user_id (which started by U, e.g., U05TX1JXXXX)

• Create a new project, then add .gitlab-ci.yml file as the following:

test:  
  script:  
    - echo hi ${GITLAB_USER_LOGIN}  
    - echo run $CHAT_INPUT  
    - bash -xc "$CHAT_INPUT"  

• Add the victim to the project's members as Maintainer

• Then go to Settings/Integrations/Mattermost slash commands and fill the form:

  • Active: checked
  • Token: abcdef
  • Click Save changes

• Note the ID of the project above, e.g., 11111111

• Open a terminal, execute the following command after replacing your project ID, team_id and user_id:

curl -X POST https://gitlab.com/api/v4/projects/11111111/services/mattermost_slash_commands/trigger --data 'token=abcdef&user_id=U05TX1JXXXX&team_id=T05TGJXXXX&text=run test date'  

• Go to Build/Pipelines you should see a new pipeline which was triggered as victim

Impacts

The vulnerability allows attackers to execute as victims any slash commands, such as, execute the ChatOps jobs, deploy from an environment to another environment, create a new issue/comment (thus execute any quick action ).

Consequently, I think that the impact should be at least the same as CVE-2023-5207 or CVE-2023-5207, unless the attack complex vector should be Low as any member in a Slack integration workspace of a project can view team_id and user_id of victim. Furthermore, since team_id and user_id are not confidential information, then they can be easily leaked, e.g., by quickly searching on Gitlab.com, I found some:

Team id: T02592416

• U035TQSSN
• U8QP8KCA2

Team id: T03TQEUUA49

• U03T8SYJQQ5

Thank you!

Impact

The vulnerability allows attackers to execute as victims any slash commands, such as, execute the ChatOps jobs, deploy from an environment to another environment, create a new issue/comment (thus execute any quick action ).

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• slack-profile.png

How To Reproduce

Please add reproducibility information to this section: