ebkr
[BUG] - Website URL parameter allows executing arbitrary executables
Describe the bug
In both r2modman and TMM there is an issue in the "Website" button on a mod card that doesn't properly check if the URL is valid, and allows executing arbitrary commands and executables. This is because the website parameter is directly passed to electron.shell.openExternal (and thereby passed to ShellExecuteW without any sanitation), which allows the use of protocols like file to execute dangerous commands. This includes executing programs hosted on remote SMB shares (which at that point is basically an RCE).
To Reproduce Steps to reproduce the behavior:
- Create a modpack in r2modman (any game, any profile, any mods)
- Modify the
mods.ymlfile and change thewebsiteUrlparameter to a malicious payload (e.g.file://C:/Windows/System32/calc.exe) - Export the profile as code
- Share code with unsuspecting victim
- Coerce them into clicking the "Website" button on the mod that was modified in the
mods.yml - The payload gets triggered
Expected behavior
The launcher should only allow trusted protocols (http, https) to be used, which preferably would be filtered by the LinkImpl class. https://github.com/ebkr/r2modmanPlus/blob/4cd8d1452c225bbffc16af241cea729fa27e5b91/src/r2mm/component_override/LinkImpl.ts#L6-L8
Video
This was recorded on TMM, but issue applies to both r2modman and TMM
https://github.com/ebkr/r2modmanPlus/assets/46288749/a4754771-c226-4da0-b780-1dc1b1e038c2
Here's an example that's more than just opening calculator and showcases that this has the ability to run any arbitrary code
https://github.com/ebkr/r2modmanPlus/assets/46288749/7f5d452f-01b8-4165-b66a-5930c32f8086
Just checked on this, both versions of the Thunderstore Mod Upload Handler check that the website_url is valid - So this issue only exists for local mods. It is still an issue of course.
This also affects profile codes like this one: 01902cc2-ccf6-3f2d-12f4-49d231a6ce4a (BepInEx website opens calculator)