Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneRhinosecuritylabsH1:148151
HistoryJun 29, 2016 - 6:53 a.m.

ownCloud: SMB User Authentication Bypass and Persistence

2016-06-2906:53:24
rhinosecuritylabs
hackerone.com
208

0.003 Low

EPSS

Percentile

70.1%

JSON

Authentication Bypass

The external user authentication app in OwnCloud does not properly authenticate against an SMB server. In it’s current implementation, the file (owncloud/apps/user_external/lib/smb.php, line 46-47) uses the command smbclient -L //host/dummy -Uuser%pass, where the variables user and pass are escaped for shell characters. However, default Samba SMB servers set “map to guest” to the value “bad user”. This allows for the listing of shares regardless of user, but not further information.

The image shows the command smbclient -L //localhost/dummy -Utest%test succeeding with an invalid user “test” using password “test”, yet the user does not exist as shown by the second command smbclient //localhost/dummy -Utest%test.

{F102413}

When the default “map to guest” parameter is changed to “never” in the smb.conf for the SMB server, both commands fail as required.

{F102414}

To properly validate the user the command should simply be smbclient //host -Uuser%pass. This properly authenticates the user and returns a valid error message the the script can interpret. In it’s current implementation, providing any username to the application will log you in as that user - even creating a new one if necessary.

To Replicate

  1. Set up a Samba SMB server like detailed on this page:

https://help.ubuntu.com/community/How to Create a Network Share Via Samba Via CLI (Command-line interface/Linux Terminal) - Uncomplicated, Simple and Brief Way!

  1. Login to the OwnCloud application and enable the external user authentication app.

  2. Edit the config and add:
    ‘user_backends’ =>
    array (
    0 =>
    array (
    ‘class’ => ‘OC_User_SMB’,
    ‘arguments’ =>
    array (
    0 => ‘SMBHOST’,
    ),
    ),
    ),

  3. If a user already exists and you have the username, you can login using any password (including the administrator account!). If user doesn’t exist, it will create said user and log you in.

Untrusted Parameter Host

In the same php file (owncloud/apps/user_external/lib/smb.php, line 46-47) the parameter host is not properly escaped. This allows for code execution every time a user logs into the application if they were able to edit the owncloud/config/config.php file. This could allow for a valid persistence mechanism within the application.

Related

osv 1
ubuntucve 1
cvelist 1
prion 1
nextcloud 1
cve 1
nvd 1
openvas 2
osv
osv
CVE-2016-9463
2017-03-28 02:59:00
ubuntucve
ubuntucve
CVE-2016-9463
2017-03-28 00:00:00
cvelist
cvelist
CVE-2016-9463
2017-03-28 02:46:00
prion
prion
Authentication flaw
2017-03-28 02:59:00
nextcloud
nextcloud
SMB User Authentication Bypass (NC-SA-2016-006)
2016-10-10 00:00:00
cve
cve
CVE-2016-9463
2017-03-28 02:59:00
nvd
nvd
CVE-2016-9463
2017-03-28 02:59:00
openvas
openvas
Nextcloud Multiple Vulnerabilities - Linux
2017-03-30 00:00:00
Nextcloud Multiple Vulnerabilities - Windows
2017-03-30 00:00:00

0.003 Low

EPSS

Percentile

70.1%

JSON
Related for H1:148151
osv1ubuntucve1cvelist1prion1nextcloud1cve1nvd1openvas2