Gather.town 0-day Report

Introduction

Discoveries

  1. RCE on Gather town desktop app
  2. Input Validation Bypass
  3. XSS on cdn.gather.town
  4. Potential blind SSRF
  5. Verification code with insufficient rate limiting

1. RCE on Gather town desktop app

Description

Details

webPreferences: {
preload: path_1["default"].join(__dirname, "./interop.js"),
nativeWindowOpen: true,
// We have to disable this to allow for window.require("electron"), but we may want to consider
// taking a second look at this in the future. From:
// https://www.electronjs.org/docs/breaking-changes#default-changed-contextisolation-defaults-to-true
// "We recommend having contextIsolation enabled for the security of your application."
contextIsolation: false, // <-----------
nodeIntegration: true, // <-----------
enableRemoteModule: true
},
if (IN_APP_URLS.some(function (inAppUrl) { return baseUrl.includes(inAppUrl); })) {
// load some gather urls in same window
mainWindow.loadURL(url);
}

Steps to Reproduce

  1. Use the desktop app on Windows, enter a space
  2. Post https://innerht.ml/gather.town/app/ in the chat room
  3. Click it
  4. Observe calc.exe popping up

Fix

popup calc.exe from the desktop app

2. Input Validation Bypass

Description

Details

Steps to Reproduce

  1. Join any event in gather.town
  2. Edit your name in event, submit and intercept the WebSocket request
  3. Modify {"event":"rpc","target":"space","args":{"space":"","type":"name","name":"<very long name>"}} and submit
  4. Refresh the page and join again
long display name
long display name

Fix

3. XSS on cdn.gather.town

Description

Details

xss in cdn.gather.town

Fix

4. Potential blind SSRF

Description

Steps to Reproduce

5. Verification code with insufficient rate limiting

Description

Steps to Reproduce

Fix

--

--

--

VXRL Team is founded by group of enthusiastic security researchers, providing information security services and contribute to the community. https://www.vxrl.hk

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Building a LiveChat Integration in 20 Minutes with Agent App Extension

Two minutes code 👨🏼‍💻

A laptop on the table with coding

TIL — lookaheads (and lookbehinds) in JavaScript regular expressions

Setting up Electron and Building for Linux in Ubuntu 20.04LTS

Understanding prototype chaining in Javascript

What is TypeScript and why would I use it in place of JavaScript?

QlikBotNode with Node.js and Enigma.js

An introduction to $http interceptors or $http middlewares

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
VXRL

VXRL

VXRL Team is founded by group of enthusiastic security researchers, providing information security services and contribute to the community. https://www.vxrl.hk

More from Medium

Leaked Database of CGG Website: GOVT- BUG (CRITICAL)

This is how I can Turn Off Your Post Notification

What Does a Pentest Actually Cost? — Cyver

Beware The XSS Attack