WWBN AVideo CloneSite Plugin Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in WWBN AVideo versions through 26.0, specifically within the CloneSite plugin. This vulnerability allows an unauthenticated attacker to execute arbitrary commands on the server. The issue arises from the `clones.json.php` endpoint, which exposes clone secret keys without authentication. These keys can be used to initiate a database dump via `cloneServer.json.php`. The dumped database contains admin password hashes stored as MD5, which are easily crackable. Once an attacker gains admin access, they can exploit an OS command injection vulnerability in the `rsync` command construction within `cloneClient.json.php` to execute arbitrary system commands.

Impact

Exploitation of this vulnerability leads to complete server compromise, allowing for arbitrary command execution as the web server user. Additionally, it results in full database disclosure, exfiltrating the entire database including users, videos, configurations, and secrets. All user passwords, stored as MD5 hashes, are easily recoverable, and database and SSH credentials may enable access to other systems.

Reproduction

The vulnerability can be reproduced by first accessing the `clones.json.php` endpoint to retrieve clone keys. This step can be done using a simple HTTP request, which will return a JSON response containing the keys. Once a key is obtained, it can be used to trigger a database dump through the `cloneServer.json.php` endpoint. After the dump is completed, the SQL file can be downloaded, and the admin credentials extracted by searching for the MD5 hashes of the passwords. With the admin password, an attacker can log in as an admin and configure the CloneSite plugin to execute commands on the server via the `videosDir` field.

Remediation

Users are advised to update to the patched version of AVideo, which includes authentication for the `clones.json.php` endpoint, prevents SQL dumps from being stored in web-accessible directories, upgrades password hashing to a more secure method, and sanitizes parameters in the `rsync` command to prevent injection attacks.