Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneLukasreschkeH1:1720043
HistoryOct 02, 2022 - 8:51 p.m.

Nextcloud: Desktop client can be tricked into opening/executing local files when clicking a nc://open/ link

2022-10-0220:51:25
lukasreschke
hackerone.com
21
nextcloud
desktop client
insecure handling
remote code execution
csrf token
file viewer
bug bounty

EPSS

0.001

Percentile

34.2%

JSON

https://github.com/nextcloud/desktop/pull/4771 added support for “local edit”, this feature is however implemented in an insecure way.

The code is calling into QDesktopServices::openUrl(QUrl::fromLocalFile(foundFiles.first())); and foundFiled.first() will be the path of the file specified via the deeplink:

    // In case the VFS mode is enabled and a file is not yet hydrated, we must call QDesktopServices::openUrl from a separate thread, or, there will be a freeze.
    // To avoid searching for a specific folder and checking if the VFS is enabled - we just always call it from a separate thread.
    QtConcurrent::run([foundFiles] {
        QDesktopServices::openUrl(QUrl::fromLocalFile(foundFiles.first()));
    });

QDesktopServices::openUrl is however not suited for not trusted user input as it will also execute files directly.

Proof of concept

The following proof of concept was performed under Windows 10:

  1. In the web interface create a test.vbs file such as MsgBox "Hallo", VBOKOnly, "Ok".
  2. Open nc://open/[email protected]/test.vbs in the browser (adjust username and instance path)
  3. The VB Script will be executed and a popup will appear.

Note: This can also be exploited by a remote attacker if they upload a file to the same instance a user has access to.

Recommendations

There are several mitigation recommendations here:

  • Add a CSRF token to the nc://open/ link and have the client verify the token on request.
  • Ensure only safe file types can be opened using a local file viewer.

Disclosure Policy

Please note that all bugs reported by Authentick GmbH will be publicly disclosed within 90 days of vendor notification. In extraordinary cases we may increase that upon request by the vendor.

Impact

The Nextcloud Desktop Client in version 3.6.0 is vulnerable to a Remote Code Execution that can be exploited by anyone that is able to upload files to an instance the user has access to. In many cases this will be everyone due to public chats, files drop upload, etc.

Exploitation just requires the victim to visit a malicious web page (or click a link on an email or anything like that)

Related

cvelist 1
ubuntucve 1
nextcloud 1
alpinelinux 1
prion 1
cnvd 1
nvd 1
veracode 1
osv 1
debiancve 1
cve 1
cvelist
cvelist
CVE-2022-41882 Nextcloud Desktop vulnerable to code injection via malicious link
2022-11-11 00:00:00
ubuntucve
ubuntucve
CVE-2022-41882
2022-11-11 00:00:00
nextcloud
nextcloud
Desktop client can be tricked into opening/executing local files when clicking a nc://open/ link
2022-11-11 14:56:18
alpinelinux
alpinelinux
CVE-2022-41882
2022-11-11 19:15:11
prion
prion
Design/Logic Flaw
2022-11-11 19:15:00
cnvd
cnvd
Nextcloud has an unspecified vulnerability (CNVD-2022-77502)
2022-11-15 00:00:00
nvd
nvd
CVE-2022-41882
2022-11-11 19:15:11
veracode
veracode
Arbitrary Code Execution
2022-11-20 00:31:34
osv
osv
CVE-2022-41882
2022-11-11 19:15:11
debiancve
debiancve
CVE-2022-41882
2022-11-11 19:15:11
cve
cve
CVE-2022-41882
2022-11-11 19:15:11

EPSS

0.001

Percentile

34.2%

JSON
Related for H1:1720043
cvelist1ubuntucve1nextcloud1alpinelinux1prion1cnvd1nvd1veracode1osv1debiancve1cve1