Pages

Monday, March 5, 2018

NoSQL injection leading to administrator account takeover in Rocket.Chat (0.57.3, 0.58.3 and below)

Executive Summary

A regular user account can access sensitive data using a NoSQL injection vulnerability in the API provided by Rocket.Chat. Data includes usernames, email addresses, login tokens, password hashes and reset tokens of all users of the application including administrators. A malicious user can try to crack the password hashes or request a password reset to compromise accounts. Using that vulnerability, a regular user can get an administrator access on the application which can results in other sensitive data exposure such as conversations, LDAP configuration…

What is Rocket.Chat?

According to their website, "Rocket.Chat is the leading open source team chat software solution. Free, unlimited and completely customizable with on-premises and SaaS cloud hosting." Based on a tweet from last November, Rocket.Chat has been installed on over 150k servers and is used by more than 10 million people.

Detailed explanations

This vulnerability has been tested on Rocket.Chat 0.58.3, last stable release as of October 4th 2017. According to the source code on GitHub, the current development code is also vulnerable.

Two attacks scenario exploiting this NoSQL injection have been identified:

  • Password hashes extraction
  • Account takeover via password reset

Password hashes extraction

Request to the API to show the version:
2017-10-04-131626_900x318_scrot.png

Login to the API with a regular user:
2017-10-04-131959_1154x322_scrot.png

Check user privileges:
2017-10-04-132141_1037x389_scrot.png

The regular user “attacker” is of type “user” and doesn’t have access to administration features.

Our regular user is able to list administrators using the NoSQL injection in the “query” parameter:
2017-10-04-132255_1080x471_scrot.png

It is also possible to show hidden fields with the “fields” parameter:
2017-10-04-132454_1337x564_scrot.png


With this information, a regular user has access to usernames, email addresses and password hashes of administrators. He can use tools such as JohnTheRipper or Hashcat to try to find cleartext passwords. Passwords are hashed using Meteor’s Accounts-password library like this:
hash = bcrypt(sha256(password))

Account takeover via password reset

There is an easier/faster way to compromise administrator accounts, it is by using the “Reset password” feature. Before asking for a password reset, our victim data account looks like this:
2017-10-04-133054_1064x514_scrot.png

We can use his email address to request a password reset:
2017-10-04-133215_1357x589_scrot.png

After requesting a password reset, a malicious low privileged user (attacker) can request the API to get access to the password reset token:
2017-10-04-133249_1223x563_scrot.png

With that reset token in hands, a malicious user can reset the victim’s password (admin):
2017-10-04-133401_1359x604_scrot.png

2017-10-04-133451_1341x701_scrot.png



Timeline


October 4th 2017: Bug reported
October 5th 2017: Fix deployed
January 2nd 2018: Attribution of CVE ID CVE-2017-1000493
January 17th 2018: Official communication from Rocket.Chat about the vulnerability (Blog post Tweet Tweet)
March 5th 2018: Publication of this blog post


Thanks to the Rocket.Chat team that has been fast fixing the reported vulnerability


After a quick search on Shodan, I figure it out that there is another easy way to compromise a Rocket.Chat application ...