All

Mattermost Enterprise Denial of Service

Mattermost Enterprise Denial of Service

Introduction

LaTeX is a document typesetting system that takes a plaintext file, stylised using mark-up tags similar to HTML or CSS, and converts this into a high-quality document for displaying on screen. It is most commonly used in academia for the communication and publication of technical and scientific documentation. KaTeX is a JavaScript library, based on TeX, that is capable of rendering a subset of LaTeX’s mathematical notation in web browsers.

Figure 1: An example of LaTeX rendering of a complex mathematical equation

MDSec discovered that Mattermost Enterprise Server was vulnerable to a KaTeX parsing issue that resulted in a Denial of Service (DoS) condition when attempting to render an equation which included an excessive amount of vertical space.

Mattermost is an open-source, private cloud chat service, similar to Slack and Microsoft Teams, designed as an internal chat solution for organisations. Mattermost has Public Channels which allow broader group discussion and Direct Messages for private conversations between individuals.

This issue affected versions up to the latest version of Mattermost Enterprise Server at the time of discovery (5.21.0) and if exploited, would result in an entire Public Channel or Direct Message between individuals being rendered unavailable to all participants.

Proof of Concept

MDSec discovered that the following multi-line KaTeX equation would cause a Denial of Service (DoS) condition in Mattermost Enterprise Server up to the latest version (5.21.0):

```latex
\begin{pmatrix}a\\[99999em]\end{pmatrix}
```

Here, the pmatrix environment denotes a parenthesis delimited matrix and the line separator \\ for matrices can accept an optional argument, 99999em in this case, which can be used to create arbitrary amounts of vertical space. When a large CSS em value such as 99999 is used, Mattermost Enterprise Server will consume excessive CPU resources attempting to render the output, resulting in the aforementioned Denial of Service (DoS) condition we observed.

Figure 2: Screenshot showing the resulting Denial of Service (DoS) condition as Mattermost Enterprise Server struggles to render the excessive vertical space

This effectively prevents loading of any Public Channel or Direct Message indefinitely, as the user herself or even an administrator user cannot open the chat to delete the malicious payload.

Another equation that has been known to affect other products in a similar way is provided below, though this did not have a noticeable performance impact on Mattermost Enterprise Server:

\rule{999999em}{999999em}

This issue has previously affected sites such as RocketChat using a similar payload \[\begin{pmatrix}a\[99999em]\end{pmatrix}] and Gitlab by chaining multiple \sqrt statements together to consume excessive server resources without limitation, which left users unable to view an issue and the project owner unable to close the issue, and resulted in a $1,000 bug bounty being paid through HackerOne.

Recommendations

This issue was fixed by Mattermost in this pull request for Mattermost Enterprise Server version 5.22.0, which ensured that new limits were set for KaTeX rendering using the maxExpand and maxSize options.

The maxSize option prevents large width/height visual affronts and the maxExpand option prevents infinite macro loop attacks, therefore limiting the rendering of extremely large elements and potential abuse of these for Denial of Service (DoS) attacks.

When using the KaTeX library in your own projects, it is also recommended to use the trust option to determine which commands may be executed by the KaTeX parser, and the allowedProtocols option to prevent certain protocols such as \href and \url being used, both of which have the potential for abuse to launch cross-site scripting attacks, for example \url{javascript:alert(1)} or \href{javascript:alert(1)}{placeholder}.

Disclosure Timeline

  • 20/03/2020 – Reported to Mattermost via their responsible disclosure address
  • 21/03/2020 – Further details and remediation advice provided to Mattermost
  • 24/03/2020 – Mattermost responds acknowledging the issue and advises a pull request will be opened for the issue
  • 24/03/2020 – Mattermost advises a pull request (5119) has been opened for the issue
  • 30/03/2020 – Mattermost advises the pull request has been merged into the 5.22 release due on April 16th, 2020
  • 16/04/2020 – Mattermost Enterprise Server 5.22 is released fixing the KaTeX parsing issue
  • 19/05/2020 – Public disclosure on MDSec blog

This blog post was written by James Hall.

Avatar
written by

Dominic Chell

Ready to engage
with MDSec?

Copyright 2020 MDSec