Slack has patched a critical remote code execution vulnerability that could enable an attacker to execute arbitrary code in the desktop version of its collaboration software, researchers report.
Oskars Vegeris, a security engineer at Evolution Gaming, discovered the flaw and privately shared it with Slack in January 2020 through HackerOne. The vulnerability has a CVSS score between 9 and 10 and could allow an attacker to take over the Slack desktop application.
With a successful exploit, an attacker could gain access to private keys, passwords, secrets, files, and conversations within Slack. Depending on the configuration of Slack on a target device, they could also gain access to the internal network and explore the environment.
"With any in-app redirect - logic/open redirect, HTML or javascript injection it's possible to execute arbitrary code within Slack desktop apps," Vegeris explains in a report, which details an exploit consisting of an HTML injection, security control bypass, and RCE JavaScript payload.
The exploit was tested and working on the latest versions of Slack for desktop (4.2 and 4.3.2) on Mac, Windows, and Linux, he adds. Slack issued an initial fix for the vulnerability in February; it was disclosed via HackerOne on Aug. 31.
This issue exists in the way Slack posts are made, Vegeris says. Attackers would first need to upload a file containing the RCE payload on their own HTTPS-enabled server. They would then make a new Slack post, which creates a new file on https://files.slack.com with a specific JSON structure. It is possible for them to directly edit this JSON structure and add ..
Support the originator by clicking the read the rest link below.
