Command injection in matrix-appservice-irc https://pktz.fr/matrix/security/2022-appservice-irc-command-injection/ 2022-08-23 2022-08-24 Val Lorentz https://valentin-lorentz.fr/ Matrix, matrix-appservice-irc, NVT#1532845, GHSA-37hr-348p-rmf4, GHSA-52rh-5rpj-c3w6, CVE-2022-29166

Description

Background

The IRC protocol is based on lines, delimited by <CRLF> (aka \r\n). For example, sending two messages to users A and B looks like this: 


  PRIVMSG B :second message
]]>

When sending messages from Matrix IRC, matrix-appservice-irc correctly sanitizes \n away, by re-adding the right prefixes to each message. For example, the Matrix message 

  {
    "msgtype": "m.text",
    "first line\nsecond line"
  }
to #chan is turned into: 

  PRIVMSG #chan :second line
]]>

However, some IRC servers also support <CR> alone as delimiter (see the Modern-IRC specification). For example, this includes Solanum, the IRC server used by Libera.chat.

First issue: missing sanitization

matrix-appservice-irc did not sanitize <CR>, which means the Matrix message
is turned into: 

  PRIVMSG #chan :second line
]]>

This alone is only a minor issue, as someone sending the payload is the "owner" of the IRC puppet.

Second issue: repeated reply fallback

However, under certain circumstances, matrix-appservice-irc repeats the original message (ie. the reply fallback) when sending a reply. This means that if an attacker sends the above Matrix and tricks a victim into replying to it with "answer", the Matrix event of the answer is something like this: 

 <@attacker:matrix.org> first line\rsecond line\nanswer",
    "format": "org.matrix.custom.html",
    "formatted_body": "
In reply to @attacker:matrix.org
first line\rsecond line
answer",
    "m.relates_to": {
      "m.in_reply_to": {
        "event_id": "redacted"
      }
    },
    "msgtype": "m.text",
    ...
  }
]]>
which matrix-appservice-irc then translates to IRC commands: 

  second line
  PRIVMSG #chan :answer
]]>

Wrapping-up

This second line is under the attacker's control, so they can run any command as the victim's puppet. For example, it could be QUIT :bye to make them disconnect, or PRIVMSG NickServ :SET PASSWORD hunter2 to change the password of the victim's account on the IRC network.

The obvious limitations to this attack is that victims would see the message they are replying to; but this might be hidden by attackers by adding colors, surrounding text, or simply the victim being unaware of the issue.

Conclusion

On , Matrix.org published a fix to the first issue (missing sanitization), fixing this vulnerability. The second issue (attacker-controlled text being repeated when replying) is being tracked independently as a "Tolerable" issue and not fixed at this time; though planned changes to the Matrix specification will make it a non-issue eventually.

Timeline

Reported to security@matrix.org (the content above as-is, minus the conclusion and some reformatting).
Got an automatic reply (assigned NVT#1532845).
Given the lack of human reply within 24 hours (unexpected given Matrix.org's security policy), I pinged a friend who works at Element
Matrix.org informed me "This is currently being worked on and there will be a security release happening soon to fix the issue (exact date to be determined)".
Fix for the first issue (missing sanitization) was published and announced, bridges hosted by Matrix.org were updated, Libera.chat and OFTC banned old versions of the bridge to prevent abuse.
Copy-edited from the initial email sent to Matrix.org, and published.