element-hq / element-desktop

A glossy Matrix collaboration client for desktop.
https://element.io
GNU Affero General Public License v3.0
1.15k stars 263 forks source link

Element Windows lets Python, PHP, EXE scripts execute with no warning #1818

Open bruno24pt opened 2 months ago

bruno24pt commented 2 months ago

Steps to reproduce

Similar to WhatsApp & Telegram for Windows , I beleive this issue applies on Element as well.

https://www.bleepingcomputer.com/news/security/whatsapp-for-windows-lets-python-php-scripts-execute-with-no-warning/

Element Windows allows sending Python , PHP and EXE attachments that are executed without any warning when the recipient opens them.

Outcome

Several solutions can be considered:

  1. Warn the user that this file may be dangerous
  2. Mark the file as coming from the internet
  3. Prevent the user from opening the file directly etc

Operating system

Windows

Application version

No response

How did you install the app?

No response

Homeserver

No response

Will you send logs?

No

davidegirardi commented 2 months ago

I just wrote a simple hello world application in C#, compiled it to a .exe and sent it via Element. The receiving client downloaded the file and it was marked as untrusted.

image

weezl commented 2 months ago

I just wrote a simple hello world application in C#, compiled it to a .exe and sent it via Element. The receiving client downloaded the file and it was marked as untrusted.

I tested with a downloaded .exe, as well as with a .pyz file I created and sent from a different computer (as described in the bleepingcomputer link in OP)

Once downloaded both files indeed show as untrusted in Properties, but clicking the Open button in Element starts the .exe as well as the .pyz without asking for further confirmation.

Screenshot 2024-08-11 215249

Windows 22H2 Element version: 1.11.73 Crypto version: Rust SDK 0.7.1 (431263d), Vodozemac 0.6.0

Considering other apps like Telegram and WhatsApp give a warning before opening such files, I think a similar warning message in Element about potential danger before opening certain file types, or even preventing access alltogether from within Element would be good.

Telegram seems to have added python scripts to their blacklist according to this: https://www.bleepingcomputer.com/news/security/telegram-fixes-windows-app-zero-day-used-to-launch-python-scripts/

davidegirardi commented 2 months ago

Did you tested this by sending calc.exe or another signed executable? Then of course it runs. It will run even if you download it with Microsoft Edge.

Here's what happens if you send something Windows/Microsoft don't already know about: nope.webm

davidegirardi commented 2 months ago

I think Element does the right thing from a technical point of view. Would adding some warning text in the veil of "open the file only if you trust the sender" help somehow?

bestrocker221 commented 2 months ago

Another option would be not to let the Element application directly open files at all. Instead offering something like "Open download folder" where the files are downloaded from Element and let the user open them from the file explorer directly. Similar applications have been doing like this i.e. Keybase

weezl commented 2 months ago

I think Element does the right thing from a technical point of view. Would adding some warning text in the veil of "open the file only if you trust the sender" help somehow?

I agree that technically the "fault" is not with Element.

But the behavior of other apps of giving warnings before opening risky files is sensible when dealing with this.

I like bestrocker221's proposal of simply opening the containing folder instead of the file directly, this completely bypasses the problem, and is what the user will have to do anyway if the file were to be on a blacklist.

miri010 commented 1 month ago

After discovering this vulnerability on Luxchat, I won't have a CVE under my name because, based on the VDP (Vulnerability Disclosure Program), this shouldn't have been published online. Thanks for your professionalism. But yeah, I would say the vulnerability is based on the app because it should have a mechanism to scan malicious files, as I wrote in my report that I submitted to Nicolas DEBEFFE, Chief Information Security Officer at LU-CIX Management G.I.E screen

Contact: https://www.linkedin.com/in/miri-mohammed-083231253/