Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] - Website URL parameter allows executing arbitrary executables #1315

Open
DaXcess opened this issue Apr 30, 2024 · 3 comments · May be fixed by #1378
Open

[BUG] - Website URL parameter allows executing arbitrary executables #1315

DaXcess opened this issue Apr 30, 2024 · 3 comments · May be fixed by #1378
Labels
bug Minor issue good first issue Good for newcomers

Comments

@DaXcess
Copy link

DaXcess commented Apr 30, 2024

Describe the bug
In both r2modman and TMM there is an issue in the "Website" button on a mod card that doesn't properly check if the URL is valid, and allows executing arbitrary commands and executables. This is because the website parameter is directly passed to electron.shell.openExternal (and thereby passed to ShellExecuteW without any sanitation), which allows the use of protocols like file to execute dangerous commands. This includes executing programs hosted on remote SMB shares (which at that point is basically an RCE).

To Reproduce
Steps to reproduce the behavior:

  1. Create a modpack in r2modman (any game, any profile, any mods)
  2. Modify the mods.yml file and change the websiteUrl parameter to a malicious payload (e.g. file://C:/Windows/System32/calc.exe)
  3. Export the profile as code
  4. Share code with unsuspecting victim
  5. Coerce them into clicking the "Website" button on the mod that was modified in the mods.yml
  6. The payload gets triggered

Expected behavior
The launcher should only allow trusted protocols (http, https) to be used, which preferably would be filtered by the LinkImpl class.

r2modmanPlus/src/r2mm/component_override/LinkImpl.ts

Lines 6 to 8 in 4cd8d14

openLink(url: string): void {
shell.openExternal(url);
}

Video

This was recorded on TMM, but issue applies to both r2modman and TMM

uhoh.mp4
@DaXcess DaXcess added the bug Minor issue label Apr 30, 2024
@DaXcess
Copy link
Author

DaXcess commented Apr 30, 2024
edited
Loading

Here's an example that's more than just opening calculator and showcases that this has the ability to run any arbitrary code

346321723.6_shucks.mp4

@ebkr ebkr added the good first issue Good for newcomers label Jun 18, 2024
@AdamHebby
Copy link

Just checked on this, both versions of the Thunderstore Mod Upload Handler check that the website_url is valid - So this issue only exists for local mods. It is still an issue of course.

image

@DaXcess
Copy link
Author

DaXcess commented Jun 18, 2024

This also affects profile codes like this one: 01902cc2-ccf6-3f2d-12f4-49d231a6ce4a (BepInEx website opens calculator)

AdamHebby added a commit to AdamHebby/r2modmanPlus that referenced this issue Jun 19, 2024
@AdamHebby
Fixes ebkr#1315 - Prevents unsafe URLs being opened
eeeaddc
AdamHebby added a commit to AdamHebby/r2modmanPlus that referenced this issue Jun 19, 2024
@AdamHebby
Fixes ebkr#1315 - Prevents unsafe URLs being opened
deef2b8
@AdamHebby AdamHebby linked a pull request Jun 19, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Minor issue good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #1315 - Prevents unsafe URLs being opened AdamHebby/r2modmanPlus
3 participants
@ebkr @AdamHebby @DaXcess