Rewterz Threat Advisory – Slack Patches Critical Desktop Vulnerability

Severity

High

Analysis Summary

A remote code execution flaw could allow a successful attacker to fully control the Slack desktop app on a target machine. With any in-app redirect – logic/open redirect, HTML or javascript injection it’s possible to execute arbitrary code within Slack desktop apps, using an exploit consisting of an HTML injection, security control bypass, and RCE JavaScript payload.
Slack has patched this critical vulnerability that could allow an attacker to take over the Slack desktop application. With a successful exploit, an attacker could gain access to private keys, passwords, secrets, files, and conversations within Slack. Depending on the configuration of Slack on a target device, they could also gain access to the internal network and explore the environment. This issue exists in the way Slack posts are made. Attackers would first need to upload a file containing the RCE payload on their own HTTPS-enabled server. They would then make a new Slack post, which creates a new file on https://files.slack.com with a specific JSON structure. It is possible for them to directly edit this JSON structure and add arbitrary HTML. All a user has to do is click the malicious post shared via Slack, and the code is executed on their PC. The HTML redirects the user’s desktop app to the attacker’s website, which replies with RCE JavaScript. The exploit bypasses Slack desktop app env, leaks an Electron object, and executes arbitrary commands on the target device.The RCE in Slack desktop apps could also be made “wormable,” meaning it could repost to all user workspaces after it’s clicked.

Impact

• Remote Code Execution
• Security Bypass

Affected Vendors

Slack

Affected Products

Slack for desktop (4.2 and 4.3.2) on Mac Windows and Linux

Remediation

Update to version 4.4 to apply the patches.