Today I am going to publicly disclose a vulnerability that I have discovered recently in VideoWhisper Live Streaming software. The software suffers from remote command execution vulnerability, specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands to be executed over the remote machine.
|
1 2 3 |
VideoWhisper Live Streaming provides web based live video streaming (from webcam or similar sources). Live Streaming contains a web based application to broadcast video with realtime configuration of resolution, framerate, bandwidth, audio rate and also allows discussing with video subscribers. |
I decided to do a source code review over the VideoWhisper Live Streaming software as one of my researches.
General Review
It took me many hours reading the source code, many files caught my attention, ls_transcoder.php was one of these files that considered to be suspicious.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
<?php include("header.php"); ?> <div class="info"> <?php if ($stream=$_GET['n']){ include_once("incsan.php"); sanV($stream); include_once("settings.php"); echo "<H3>".$stream."</h3>"; } $upath = getcwd() . "/uploads/$stream/"; $cmd = "ps aux | grep '/i_$stream -i rtmp'"; exec($cmd, $output, $returnvalue); |
In line 21, $stream parameter was noticed to be inserted in a command that was sent to exec function in line 22, exec function executes commands over the remote machine and returns the output to an array that was sent as a second argument.
$stream parameter is a user-controlled input sent through the GET request in line 6, however, there is a filter function sanV($stream) in line 12, if I am able to bypass this filter then I will be able to gain a command injection over the application.