'=?utf-8?Q?Horizontal_Privilege_Escalation/Code_Injection_in_ownC?= =?utf-8?Q?loud=E2=80=99s_Windows_'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    =?utf-8?Q?Horizontal_Privilege_Escalation/Code_Injection_in_ownC?= =?utf-8?Q?loud=E2=80=99s_Windows_
From:       Florian Bogner <florian () bogner ! sh>
Date:       2016-08-19 7:20:04
Message-ID: 34C95DEF-0C48-42F3-91E7-7188099BE555 () bogner ! sh
[Download RAW message or body]

Horizontal Privilege Escalation/Code Injection in ownCloud's Windows Client

Metadata
===================================================
Release Date: 17-08-2016
Author: Florian Bogner @ Kapsch BusinessCom AG (https://www.kapsch.net/kbc)
Affected versions: up to ownCloud's Desktop client version 2.2.2 
Tested on: Windows 7 64 bit
CVE : pending
URL: https://bogner.sh/2016/08/horizontal-privilege-escalation-in-ownclouds-windows-client/
                
Video: https://www.youtube.com/watch?v=KytWLsrjyVk
Vulnerability Status: Fixed in version 2.2.3 (oc-sa-2016-016)

Description
===================================================
The ownCloud Windows Desktop client (up to version 2.2.2) is prone to an arbitrary \
code injection vulnerability leading to code execution in other user's Windows \
sessions. The issue is that QT extensions are loaded from \
C:\usr\i686-w64-mingw32\sys-root\mingw\lib\qt5\plugins. As any authenticated user on \
Windows is allowed to create new folders within C:, the expected folder structure can \
be created. That means that any local attacker can create a malicious QT extensions \
that gets automatically loaded on the next launch of the ownCloud Desktop client in \
any local Windows session.

PoC
===================================================
1.) Download the modified QT platform's library qwindow.dll: \
https://bogner.sh/wp-content/uploads/2016/08/qwindows.dll_.zip 2.) Place it into \
C:\usr\i686-w64-mingw32\sys-root\mingw\lib\qt5\plugins\platforms  3.) Start the \
ownCloud Desktop Client: The "malicious" code is executed and a message box is opened

Disclosure Timeline
===================================================
31.7.2016: The issues have been documented and reported
4.8.2016: ownCloud verified the issue and started to work on a fix
5.8.2016: Patch has been developed and I verified that the issue has been fixed
8.8.2016: ownCloud Desktop Client 2.2.3 with the fix has been publicly released
17.8.2016: ownCloud Security Advisory oC-SA-2016-016 has been published
17.8.2016: Public disclosure

Suggested Solution
===================================================
Install the latest available version from https://owncloud.org/install

Florian Bogner

eMail: florian@bogner.sh
Web: http://www.bogner.sh
LinkedIn: https://www.linkedin.com/profile/view?id=368904276
Xing: https://www.xing.com/profile/Florian_Bogner9=


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic