CVE-2022-30534 An OS command injection vulnerability exists in the WWBN AVideo 11.6 and dev master commit 3f7c0364 functionality of aVideoEncoder. A specially crafted HTTP request can lead to arbitrary command execution.

The request should contain the following parameters:

http://Vulnerable Server>/{aVideoEncoder}/{aVideoEncoder}/{path}?cmd={command}

An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

OS command injection vulnerabilities can be exploited by remote attackers to execute code on the affected system as the root user.

These vulnerabilities can be exploited manually by remote attackers, or by using a software to automate the process.

Details:

1. OS Command Injection Vulnerability with aVideoEncoder in WWBN AVideo 11.6 and dev master commit 3f7c0364

Operation Scenarios

Vulnerability Description:

A command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution.

Vulnerable code sequence to reproduce the vulnerability

HTTP/1.1 200 OK
Date: Sat, 28 Dec 2015 15:32:51 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.3.29
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=fe0153cee7146b03c3930d7a9f6d31f6; path=/
Cache-Control: public
Expires: -1
Pragma: no-cache
Location:/uploadvideo?cmd=ls -la /tmp/* HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Date : Sat, 28 Dec 2015 15:32:52 GMT Server : Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9 .8e-fips-rhel5 mod_bwlimited / 1 .4 Connection : close Location : http://Vulnerable Server > /uploadvideo?cmd=id&uid={user} Location : http://Vulnerable Server

Vulnerability Description

An OS command injection vulnerability exists in the aVideoEncoder chunkfile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

Timeline

Published on: 08/22/2022 19:15:00 UTC
Last modified on: 08/26/2022 13:50:00 UTC

References

• https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql
• https://talosintelligence.com/vulnerability_reports/TALOS-2022-1546
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-30534