WWBN AVideo Command Injection Vulnerability in Restreamer Endpoint

A command injection vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the restreamer endpoint, where user-controlled `users_id` and `liveTransmitionHistory_id` values are embedded into a log file path without proper sanitization. This unsanitized path is then directly included in shell commands executed on the server, allowing authenticated users to execute arbitrary commands using shell metacharacters. The vulnerability has been patched in version 27.0.

Impact

Exploitation of this vulnerability allows authenticated users with restream permissions to execute arbitrary commands on the server with the privileges of the web server process. This could lead to a full server compromise, including access to sensitive files, AVideo database and user data, disruption of services, and installation of backdoors such as web shells or cron jobs for persistent access.

Reproduction

To reproduce this vulnerability, an authenticated user with restream permissions can send a POST request to the `plugin/Live/standAloneFiles/restreamer.json.php` endpoint. The request must include a crafted `users_id` or `liveTransmitionHistory_id` value that contains shell metacharacters, such as `$()`, which will be executed on the server. After the command is executed, the output can be retrieved by accessing the appropriate file, such as `/tmp/pwned` or `/tmp/pwned2`, depending on which injection vector was used.

Remediation

Users are advised to update to AVideo version 27.0 or later, where this vulnerability has been patched.