WWBN AVideo OS Command Injection Vulnerability in FFmpeg Command Sanitization

A command injection vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the 'sanitizeFFmpegCommand()' function within 'plugin/API/standAlone/functions.php', which is intended to sanitize FFmpeg commands by removing hazardous shell metacharacters. However, it fails to eliminate the '$()' syntax used for command substitution in Bash. This oversight allows an attacker to execute arbitrary commands on the standalone encoder server by crafting a specific encrypted payload. The vulnerability is exploited by sending a malicious FFmpeg command that takes advantage of the unsanitized command substitution, leading to unauthorized command execution on the server.

Impact

Exploitation of this vulnerability allows for full arbitrary command execution on the standalone encoder server, with the same privileges as the web server process. This could lead to unauthorized access to video files, configuration data, and credentials stored on the encoder. Additionally, the vulnerability could be used to disrupt services by terminating encoding processes or consuming system resources.

Reproduction

To reproduce this vulnerability, send a request to 'plugin/API/standAlone/ffmpeg.json.php' with a crafted FFmpeg command that includes the '$()' syntax for command substitution. The command should be designed to bypass the sanitization process and execute a payload of choice. Ensure that the 'codeToExecEncrypted' parameter is properly encrypted using the AES-256-CBC algorithm, with the key derived from the 'saltV2' value and the initialization vector (IV) obtained from the 'systemRootPath' hash. Once the payload is decrypted on the server, the command will be executed with the desired privileges.

Remediation

Users are advised to update to the patched version of AVideo, which includes the necessary fix in the FFmpeg command sanitization function. Instructions for updating can be found in the AVideo documentation.