Open DaXcess opened 2 months ago
DaXcess
commented
2 months ago Here's an example that's more than just opening calculator and showcases that this has the ability to run any arbitrary code
https://github.com/ebkr/r2modmanPlus/assets/46288749/7f5d452f-01b8-4165-b66a-5930c32f8086
AdamHebby
commented
2 weeks ago Just checked on this, both versions of the Thunderstore Mod Upload Handler check that the website_url is valid - So this issue only exists for local mods. It is still an issue of course.
DaXcess
commented
2 weeks ago This also affects profile codes like this one: 01902cc2-ccf6-3f2d-12f4-49d231a6ce4a (BepInEx website opens calculator)
Describe the bug In both r2modman and TMM there is an issue in the "Website" button on a mod card that doesn't properly check if the URL is valid, and allows executing arbitrary commands and executables. This is because the website parameter is directly passed to
electron.shell.openExternal(and thereby passed toShellExecuteWwithout any sanitation), which allows the use of protocols likefileto execute dangerous commands. This includes executing programs hosted on remote SMB shares (which at that point is basically an RCE).To Reproduce Steps to reproduce the behavior:
mods.ymlfile and change thewebsiteUrlparameter to a malicious payload (e.g.file://C:/Windows/System32/calc.exe)mods.ymlExpected behavior The launcher should only allow trusted protocols (http, https) to be used, which preferably would be filtered by the
LinkImplclass. https://github.com/ebkr/r2modmanPlus/blob/4cd8d1452c225bbffc16af241cea729fa27e5b91/src/r2mm/component_override/LinkImpl.ts#L6-L8Video
https://github.com/ebkr/r2modmanPlus/assets/46288749/a4754771-c226-4da0-b780-1dc1b1e038c2