Open DaXcess opened 2 months ago
Here's an example that's more than just opening calculator and showcases that this has the ability to run any arbitrary code
https://github.com/ebkr/r2modmanPlus/assets/46288749/7f5d452f-01b8-4165-b66a-5930c32f8086
Just checked on this, both versions of the Thunderstore Mod Upload Handler check that the website_url is valid - So this issue only exists for local mods. It is still an issue of course.
This also affects profile codes like this one: 01902cc2-ccf6-3f2d-12f4-49d231a6ce4a (BepInEx website opens calculator)
Describe the bug In both r2modman and TMM there is an issue in the "Website" button on a mod card that doesn't properly check if the URL is valid, and allows executing arbitrary commands and executables. This is because the website parameter is directly passed to
electron.shell.openExternal
(and thereby passed toShellExecuteW
without any sanitation), which allows the use of protocols likefile
to execute dangerous commands. This includes executing programs hosted on remote SMB shares (which at that point is basically an RCE).To Reproduce Steps to reproduce the behavior:
mods.yml
file and change thewebsiteUrl
parameter to a malicious payload (e.g.file://C:/Windows/System32/calc.exe
)mods.yml
Expected behavior The launcher should only allow trusted protocols (http, https) to be used, which preferably would be filtered by the
LinkImpl
class. https://github.com/ebkr/r2modmanPlus/blob/4cd8d1452c225bbffc16af241cea729fa27e5b91/src/r2mm/component_override/LinkImpl.ts#L6-L8Video
https://github.com/ebkr/r2modmanPlus/assets/46288749/a4754771-c226-4da0-b780-1dc1b1e038c2