Open bruno24pt opened 2 months ago
I just wrote a simple hello world application in C#, compiled it to a .exe
and sent it via Element. The receiving client downloaded the file and it was marked as untrusted.
I just wrote a simple hello world application in C#, compiled it to a
.exe
and sent it via Element. The receiving client downloaded the file and it was marked as untrusted.
I tested with a downloaded .exe
, as well as with a .pyz
file I created and sent from a different computer (as described in the bleepingcomputer link in OP)
Once downloaded both files indeed show as untrusted in Properties, but clicking the Open button in Element starts the .exe as well as the .pyz without asking for further confirmation.
Windows 22H2 Element version: 1.11.73 Crypto version: Rust SDK 0.7.1 (431263d), Vodozemac 0.6.0
Considering other apps like Telegram and WhatsApp give a warning before opening such files, I think a similar warning message in Element about potential danger before opening certain file types, or even preventing access alltogether from within Element would be good.
Telegram seems to have added python scripts to their blacklist according to this: https://www.bleepingcomputer.com/news/security/telegram-fixes-windows-app-zero-day-used-to-launch-python-scripts/
Did you tested this by sending calc.exe
or another signed executable? Then of course it runs. It will run even if you download it with Microsoft Edge.
Here's what happens if you send something Windows/Microsoft don't already know about: nope.webm
I think Element does the right thing from a technical point of view. Would adding some warning text in the veil of "open the file only if you trust the sender" help somehow?
Another option would be not to let the Element application directly open files at all. Instead offering something like "Open download folder" where the files are downloaded from Element and let the user open them from the file explorer directly. Similar applications have been doing like this i.e. Keybase
I think Element does the right thing from a technical point of view. Would adding some warning text in the veil of "open the file only if you trust the sender" help somehow?
I agree that technically the "fault" is not with Element.
But the behavior of other apps of giving warnings before opening risky files is sensible when dealing with this.
I like bestrocker221's proposal of simply opening the containing folder instead of the file directly, this completely bypasses the problem, and is what the user will have to do anyway if the file were to be on a blacklist.
After discovering this vulnerability on Luxchat, I won't have a CVE under my name because, based on the VDP (Vulnerability Disclosure Program), this shouldn't have been published online. Thanks for your professionalism. But yeah, I would say the vulnerability is based on the app because it should have a mechanism to scan malicious files, as I wrote in my report that I submitted to Nicolas DEBEFFE, Chief Information Security Officer at LU-CIX Management G.I.E
Contact: https://www.linkedin.com/in/miri-mohammed-083231253/
Steps to reproduce
Similar to WhatsApp & Telegram for Windows , I beleive this issue applies on Element as well.
https://www.bleepingcomputer.com/news/security/whatsapp-for-windows-lets-python-php-scripts-execute-with-no-warning/
Element Windows allows sending Python , PHP and EXE attachments that are executed without any warning when the recipient opens them.
Outcome
Several solutions can be considered:
Operating system
Windows
Application version
No response
How did you install the app?
No response
Homeserver
No response
Will you send logs?
No