ownCloud is a client-server software which grants administrators several privileges such as carrying out commands by acting as the intended user, essentially impersonating another user to carry out desired tasks. For security reasons, group administrators are only able to do things under the umbrella of fellow group member users. Despite this measure being put in place, the exploitation of a crucial user impersonation authorization bypass attack.
The vulnerability was first discovered by Thierry Viaccoz on the 15th of March. The first vendor notification was sent on the 16th of March and the vendor responded back with a message of acknowledgement the very same day. Just over a month later, the corrected version of the software version 0.2.0 was released on the 17th of March and a public disclosure date for the matter was set to the 29th of August which was just a few days ago.
This vulnerability affects the ownCloud version 0.1.2. Version 0.2.0 is found unaffected. Other versions of ownClouc have not yet been tested but it is suspected that older versions may be vulnerable to the same defect as in version 0.1.2.
This high risk vulnerability has not been assigned a CVE identification label as of yet. Its case is being followed nonetheless under the CSNS ID label CSNC-2018-015. The vulnerability is remotely exploitable, and it affects ownCloud’s Impersonate.
To recreate this attack, you must first create two groups (g1 and g2). Next, you must create four users using these groups: test1, group 1, group admin = group 1; test 2, group 1, group admin = no group; test 3, group 2, group admin = group 2; test 4, group 2, group admin = no group.
The most significant mitigation, work around, and / or fix put out for this issue is an advisory to users to check other people’s authorization constantly in order to stop group administrators from impersonating other people or groups.