exploit the possibilities

ownCloud 7.0.0 Private RSA Key Disclosure

ownCloud 7.0.0 Private RSA Key Disclosure
Posted Aug 4, 2014
Authored by Senderek Web Security

In consequence of an insufficient threat model, ownCloud is storing all user's private RSA keys in clear text in PHP session files. These unencrypted private keys can be accessed by every web application that has the privilege of the web server user. The affected files exposing cryptographic keys will be stored in the PHP session directory for a number of hours until they are removed. All versions of ownCloud since the introduction of the encryption module in version 5.0.7 including version 7.0.0 are affected.

tags | advisory, web, php, info disclosure
MD5 | 9a2fb1f3e8b44cbf8ffdd62847a1159b

ownCloud 7.0.0 Private RSA Key Disclosure

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Senderek Web Security - Security Advisory

ownCloud Unencrypted Private Key Exposure
=========================================

https://senderek.ie/archive/2014/owncloud_unencrypted_private_key_exposure.php

Revision: 1.00
Last Updated: 3 Aug 2014


Summary:

In consequence of an insufficient threat model, ownCloud is storing all user's
private RSA keys in clear text in PHP session files.
These unencrypted private keys can be accessed by every web application that
has the privilege of the web server user. The affected files exposing cryptographic
keys will be stored in the PHP session directory for a number of hours until they
are removed.

This issue was reported to ownCloud via encrypted email on Tue, 11 Mar 2014.
I received a reply to this report from the vendor on Wed, 12 Mar 2014.

On Tue, 22 July 2014 the vendor confirmed, that they will not address this problem,
because the protection of user encrypted files from remote attackers that have
read access to the file system with web server privilege is not - and will not be -
part of their threat model. Consequently, the vendor does not consider this to be
a vulnerability or security issue.

Severity: High


Affected Software Versions:

All versions of ownCloud since the introduction of the encryption module in
version 5.0.7 including version 7.0.0.


Impact:

An attacker, who is able to read the PHP session files by exploiting another web
application that is running on the ownCloud server, will be able to gather the
unencrypted private key of every ownCloud user.
All encrypted files that are stored in a user's home directory can be decrypted
with this RSA private key, stored in the PHP session files in plain text.
If the user's encrypted files are synced to other devices or shared with
other servers - for hosting or backup - an attacker will be able to decrypt all
user data that is being intercepted, even if the attacker has no longer access to
the server's file system.


Fixes:

In addition to the ownCloud encryption module users are advised to encrypt their
sensitive files separately with a standard server-side encryption mechanism like
GnuPG using a passphrase, that is not stored on the server except while being used
in memory.

One software solution that extends ownCloud with GnuPG-based server-side encryption
can be downloaded here:

https://senderek.ie/downloads/release/cloud/wee-owncloud.tar

A detailed installation tutorial is available at:

https://senderek.ie/wee/cloud/wee-owncloud.php

This general web application extension addresses a more comprehensive threat model,
that includes the possibility of read-access to web server accessible files on the
server. However, it does not protect against malicious actions of server admins,
as this cannot be prevented by web applications.


Security Advice Policy:

Complete information about reporting security vulnerabilities can be found here:

https://senderek.ie/responsible.disclosure.policy.php

All information in this security advisory is copyrighted because of the time and
effort in analysing and documenting the vulnerability described here.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJT3lsOAAoJECyxzx4lRhdKI30QAKrVrr9nFO3+qdX6a0V6sJoy
sJUaqTbW9i1EI8IId2Vd1oh5GHJVq6BI9mnO+dTX+Y32B/cct1vfe+7Xfzhl9sGM
g0Z3vMsnm2MbEW2AjJTC3CCCHsLt3oSwpsevQaQ2BRZbUgSS1VIYCA6zACLJgzHr
oX/ExHXqdZ8Slol4N+3h9q5+DT2VjVgoBdNXWIeq0nd6iYbAlFS9YLECDAnFPtAl
OW05Z9m1wkMSxW1NiJPrQRmHn7YY41/SH7lgyIX0+lpi0h2D/LzAvpoVDRQL1j9A
aTP3B3xjCW8sQShKd4y8xLKQq2023L8ucy+h6anWbJCliIbK5cnXsjBgIJaGwpQw
9j5a1huKDsaXXEw5bmGpyiKMEhQ48YPBX0eMnGxOmShnRyvmhWiGPNMey9CgwEdR
hFZPN+sPC88EjSO+VMheWv4Ts3gDw9g2VmDy30B2Xd3X4yRBSjCLrD0OZbbytNQx
HIU7CJWnFKNUFZnQY4sZdxjlQf9wrLjGK7dxSTAY+n5qWH56RJVSO/Bj79i+Y+km
JVF3OO4IIO3BXcWwUfiPAmLvAOwedKNmbm23MdqquYsUnpWQYNiumETz/hpD1z/P
RCJS1Uc4sjg1mtBxxZqXLjpXm/WjgfOA8uulLdtmcmkqxaGfRdxQkJOsqZPdsje0
fJ2oNHU/Zu5KkROksoN9
=Pg9f
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    1 Files
  • 24
    Jan 24th
    1 Files
  • 25
    Jan 25th
    28 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close