ownCloud: RCE in ci.owncloud.com / ci.owncloud.org

ID H1:98559
Type hackerone
Reporter tomdev
Modified 2015-11-09T17:37:12



I know you are more interested in vulnerabilities found in ownCloud Server, but I do would like to inform you on a RCE that can be executed on ci.owncloud.[com/org].

Vulnerability There is a 0day vulnerability in Jenkins that can be exploited in certain circumstances. The Jenkins instance on ci.owncloud.[com/org] is vulnerabile for this attack since it is configured to run on a public IP address and is not firewalled.

The vulnerability exists in the common library used by Java to (de)serialize data. Jenkins will deserialize and execute configuration data sent to a specific port it is listening on. More information on the vulnerability can be found in this article.

It was easy to find the Jenkins instance because its name is easy guessable (only later on I found out its also being linked to from your GitHub page).

POC I used a payload to confirm the RCE which tells me ci.jenkins.org is running Debian 7. You can use this information as confirmation on the RCE.

I was also able to read the /etc/passwd file, but I'd rather not send the data it contains in this report.

Mitigation - Shut down ci.owncloud.com for the time being - Run ci.owncloud.com on a VPN instead of on a world-accessible public IP address - Firewall the Jenkins instance

Regards, @tomdev