cbcvebase.
CVE-2023-49105
published 2023-11-21

CVE-2023-49105: An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.07%
95.4th percentile
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.

Affected

1 ranges
VendorProductVersion rangeFixed in
owncloudowncloud_server>= 10.6.0 < 10.13.110.13.1

Detection & IOCsextracted from sources · hover to see the quote

path/remote.php/dav/files/{username}
path/remote.php/dav
commandPROPFIND /remote.php/dav/files/{username}?OC-Expires=991200&OC-Verb=PROPFIND&OC-Credential={username}&OC-Date={oc_date}&OC-Signature={dk.hex()}
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)"; flow:established,to_server; flowbits:set,ET.CVE-2023-49105.request; http.method; content:!"OPTIONS"; http.uri; content:"/remote.php/dav"; fast_pattern; content:"OC-Credential="; nocase; content:"OC-Verb="; nocase; content:"OC-Expires="; nocase; content:"OC-Date="; nocase; content:"OC-Signature="; nocase; pcre:"/^[a-f0-9]{64}(?:&|$)/R"; threshold:type limit, count 1, seconds 600, track by_src; reference:url,www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105; reference:cve,2023-49105; classtype:attempted-admin; sid:2049617; rev:2; metadata:attack_target Server, created_at 2023_12_07, cve CVE_2023_49105, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)"; flow:established,to_client; flowbits:isset,ET.CVE-2023-49105.request; http.response_body; content:"xmlns|3a|oc|3d 22|http|3a 2f 2f|owncloud|2e|org|2f|ns|22 3e|"; content:"|3c|d|3a|href|3e 2f|remote|2e|php|2f|"; fast_pattern; threshold:type limit, count 1, seconds 600, track by_src; reference:url,www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105; reference:cve,2023-49105; classtype:successful-admin; sid:2049618; rev:3; metadata:attack_target Server, created_at 2023_12_07, cve CVE_2023_49105, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit requests use HTTP method PROPFIND against /remote.php/dav with pre-signed URL query parameters: OC-Credential, OC-Verb, OC-Expires, OC-Date, and OC-Signature (64-char hex string). Absence of a valid signing key means any PBKDF2-derived signature over an empty key will be accepted.
  • Successful exploitation returns HTTP 207 Multi-Status with a WebDAV response body containing the owncloud.org namespace XML (xmlns:oc="http://owncloud.org/ns") and a <d:href>/remote.php/ element.
  • The OC-Signature value is derived via PBKDF2-HMAC-SHA512 over the full pre-signed URL string with an empty salt and empty password (empty signing key), 10000 iterations, 32-byte output — producing a 64-character lowercase hex string.
  • The Nuclei template uses a Shodan/FOFA/Google dork to identify exposed ownCloud instances: Shodan title:"owncloud", FOFA title="owncloud", Google intitle:"owncloud".
  • Nuclei template matcher for a failed (wrong username) bypass attempt looks for Sabre/Exception/NotAuthenticated strings in the response body alongside HTTP non-207 status, indicating the endpoint is reachable and the exploit path is active.
  • The vulnerability affects ownCloud/core versions 10.6.0 through 10.13.0 (fixed in 10.13.1). Victims must have no signing-key configured for their account.
  • ·Exploitation only succeeds when the targeted ownCloud user account has NO signing-key configured. Accounts with a signing-key set are not vulnerable to this bypass.
  • ·The ET rules are marked for deployment in Perimeter, Internal, and SSLDecrypt contexts — SSL inspection is required to detect this exploit over HTTPS.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.