welovemedia FFmate Argument Injection Vulnerability in FFmpeg Command Execution

A critical argument injection vulnerability has been identified in welovemedia FFmate versions through 2.0.15. The issue arises in the FFmpeg command execution feature, where user-controlled parameters are sent directly to the FFmpeg binary without adequate validation or sanitization. Although the application tries to mitigate command injection by escaping characters for the shell, attackers can still exploit FFmpeg's wide range of argument options to execute unintended actions. By creating malicious preset commands that use FFmpeg's metadata writing features, attackers can generate text files with custom content and save them to any location on the filesystem accessible to the application. This could lead to overwriting important system files, injecting SSH keys for remote access, altering application configuration files, and potentially executing arbitrary code remotely.

Impact

Exploitation of this vulnerability allows for argument injection in FFmpeg commands, which could be used to overwrite critical system files, inject SSH authorized keys for remote access, modify application configuration files, and potentially achieve full remote code execution.

Reproduction

To reproduce this vulnerability, create a preset through the FFmate API that includes a command designed to exploit the argument injection flaw. The crafted command should utilize FFmpeg's metadata options to write arbitrary content, such as an SSH key, to a file location accessible by the application. After uploading the preset, initiate a task that executes the preset command. Once the task is completed, verify that the injected content was successfully written to the target location, such as the authorized_keys file for SSH access.