Attacker can abuse slack/mattermost integrations to execute slash commands as another user (#427154) · Issues · GitLab.org / GitLab

Attacker can abuse slack/mattermost integrations to execute slash commands as another user

:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/developer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #2188868](https://hackerone.com/reports/2188868)** by `yvvdwf` on 2023-10-01, assigned to `H1 Triage`: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report Hello, I found a vulnerability in [slash command integration](https://gitlab.com/gitlab-org/gitlab/-/blob/b527fcefbe42124aa7b42ac125ee033a90c16d6f/lib/api/integrations.rb#L208) (either slack or mattermost). It allows attackers to execute any [slash commands](https://docs.gitlab.com/ee/user/project/integrations/gitlab_slack_application.html#slash-commands), including exection the ChatOps jobs, as victims. Before executing a slash command, Gitlab will: - [1.](https://gitlab.com/gitlab-org/gitlab/-/blob/b527fcefbe42124aa7b42ac125ee033a90c16d6f/lib/api/integrations.rb#L186) verify whether the given token is the same as the one in the integration setting - [2.](https://gitlab.com/gitlab-org/gitlab/-/blob/b527fcefbe42124aa7b42ac125ee033a90c16d6f/app/models/integrations/base_slash_commands.rb#L47) identify the current user via `team_id` and `user_id` parameters The vulnerability is at the non-correlation between [1] and [2]. Consequently attackers can impersonate another user when knowing his/her `team_id` and `user_id` in a Slack (or Mattermost) workspace. ### Steps to reproduce on gitlab.com 1. As Victim: - On an existing project, or create a new one, (note its name, e.g., `victim/project-a`) follow the [steps](https://docs.gitlab.com/ee/user/project/integrations/gitlab_slack_application.html#from-project-integration-settings) to integrate Slack from project integration settings by creating a new Slack workspace - Test the integration by sending a message in Slack to create a new issue: `/gitlab victim/project-a issue new issue-title` - Invite attacker to the Slack workspace which has been used in the integration above 2. As Attacker: - Join to the invited Slack workspace using Web browser, then view victim's profile - From the URL of the victim's profile, copy `team_id` (which started by `T`, e.g., `T05TGJXXXX`) and `user_id` (which started by `U`, e.g., `U05TX1JXXXX`) ![slack-profile.png](https://h1.sec.gitlab.net/a/206d1965-bc5a-48ff-a2be-82fb58ce7ba4/slack-profile.png) - Create a new project, then add `.gitlab-ci.yml` file as the following: ``` test: script: - echo hi ${GITLAB_USER_LOGIN} - echo run $CHAT_INPUT - bash -xc "$CHAT_INPUT" ``` - Add the victim to the project's members as `Maintainer` - Then go to `Settings/Integrations/Mattermost slash commands` and fill the form: - `Active`: checked - `Token`: `abcdef` - Click `Save changes` - Note the ID of the project above, e.g., `11111111` - Open a terminal, execute the following command after replacing your project ID, `team_id` and `user_id`: ``` curl -X POST https://gitlab.com/api/v4/projects/11111111/services/mattermost_slash_commands/trigger --data 'token=abcdef&user_id=U05TX1JXXXX&team_id=T05TGJXXXX&text=run test date' ``` - Go to `Build/Pipelines` you should see a new pipeline which was triggered as `victim` ### Impacts The vulnerability allows attackers to execute as victims any [slash commands](https://docs.gitlab.com/ee/user/project/integrations/gitlab_slack_application.html#slash-commands), such as, execute the ChatOps jobs, deploy from an environment to another environment, create a new issue/comment (thus execute any [quick action](https://docs.gitlab.com/ee/user/project/quick_actions.html) ). Consequently, I think that the impact should be at least the same as CVE-2023-5207 or CVE-2023-5207, unless the `attack complex` vector should be `Low` as any member in a Slack integration workspace of a project can view `team_id` and `user_id` of victim. Furthermore, since `team_id` and `user_id` are not confidential information, then they can be easily leaked, e.g., by quickly searching on Gitlab.com, I found some: Team id: [T02592416](https://gitlab.com/gitlab-org/gitlab/-/issues/381077) - [U035TQSSN](https://gitlab.com/gitlab-org/gitlab/-/issues/7246) - [U8QP8KCA2](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/803) Team id: [T03TQEUUA49](https://gitlab.com/gitlab-org/monitor/respond/-/issues/143#note_1069736628) - [U03T8SYJQQ5](https://gitlab.com/gitlab-org/monitor/respond/-/issues/143#note_1069736628) Thank you! #### Impact The vulnerability allows attackers to execute as victims any [slash commands](https://docs.gitlab.com/ee/user/project/integrations/gitlab_slack_application.html#slash-commands), such as, execute the ChatOps jobs, deploy from an environment to another environment, create a new issue/comment (thus execute any [quick action](https://docs.gitlab.com/ee/user/project/quick_actions.html) ). ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [slack-profile.png](https://h1.sec.gitlab.net/a/206d1965-bc5a-48ff-a2be-82fb58ce7ba4/slack-profile.png) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues

issue