https://github.com/nextcloud/desktop/pull/4771 added support for “local edit”, this feature is however implemented in an insecure way.
The code is calling into QDesktopServices::openUrl(QUrl::fromLocalFile(foundFiles.first()));
and foundFiled.first()
will be the path of the file specified via the deeplink:
// In case the VFS mode is enabled and a file is not yet hydrated, we must call QDesktopServices::openUrl from a separate thread, or, there will be a freeze.
// To avoid searching for a specific folder and checking if the VFS is enabled - we just always call it from a separate thread.
QtConcurrent::run([foundFiles] {
QDesktopServices::openUrl(QUrl::fromLocalFile(foundFiles.first()));
});
QDesktopServices::openUrl
is however not suited for not trusted user input as it will also execute files directly.
The following proof of concept was performed under Windows 10:
test.vbs
file such as MsgBox "Hallo", VBOKOnly, "Ok"
.nc://open/[email protected]/test.vbs
in the browser (adjust username and instance path)Note: This can also be exploited by a remote attacker if they upload a file to the same instance a user has access to.
There are several mitigation recommendations here:
nc://open/
link and have the client verify the token on request.Please note that all bugs reported by Authentick GmbH will be publicly disclosed within 90 days of vendor notification. In extraordinary cases we may increase that upon request by the vendor.
The Nextcloud Desktop Client in version 3.6.0 is vulnerable to a Remote Code Execution that can be exploited by anyone that is able to upload files to an instance the user has access to. In many cases this will be everyone due to public chats, files drop upload, etc.
Exploitation just requires the victim to visit a malicious web page (or click a link on an email or anything like that)