<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>WWBN AVideo - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/wwbn-avideo/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/wwbn-avideo/feed.xml" rel="self" type="application/rss+xml"/><item><title>AVideo Restreamer Endpoint Vulnerability Leads to Remote Code Execution</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-avideo-rce/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-avideo-rce/</guid><description>AVideo versions up to 26.0 are vulnerable to remote code execution due to unsanitized user-controlled input in the restreamer endpoint that is passed to shell commands.</description><content:encoded><![CDATA[<p>WWBN AVideo, an open-source video platform, is vulnerable to remote command execution (RCE) in versions up to and including 26.0. The vulnerability lies in the restreamer endpoint, where the application constructs a log file path by embedding unsanitized <code>users_id</code> and <code>liveTransmitionHistory_id</code> values derived from the JSON request body. These attacker-controlled values are then directly concatenated into shell commands, which are subsequently executed using the <code>exec()</code> function. This allows an authenticated attacker to inject shell metacharacters such as <code>$()</code> or backticks, leading to arbitrary command execution on the server. This vulnerability allows complete compromise of the AVideo server. The patch is available in commit 99b865413172045fef6a98b5e9bfc7b24da11678.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker sends a crafted POST request to the <code>/restreamer</code> endpoint.</li>
<li>The attacker injects shell metacharacters (e.g., <code>$()</code>, backticks) into the <code>users_id</code> and/or <code>liveTransmitionHistory_id</code> parameters within the JSON request body.</li>
<li>The AVideo application receives the request and constructs a log file path using the unsanitized input.</li>
<li>The application concatenates the malicious log file path into a shell command string.</li>
<li>The <code>exec()</code> function executes the crafted shell command on the server.</li>
<li>The injected shell metacharacters trigger the execution of arbitrary commands on the system.</li>
<li>The attacker achieves remote code execution, potentially leading to system compromise.</li>
<li>The attacker can then install malware, exfiltrate data, or pivot to other systems.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the AVideo server. This can lead to complete system compromise, including data theft, malware installation, and denial of service. The specific number of affected AVideo instances is unknown, but given its open-source nature, the potential impact is significant if unpatched instances are exposed to the internet. This could affect any organization that uses AVideo as a video platform.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade AVideo installations to a patched version that includes commit 99b865413172045fef6a98b5e9bfc7b24da11678 to remediate CVE-2026-33648.</li>
<li>Implement input validation and sanitization on the <code>/restreamer</code> endpoint to prevent shell metacharacter injection, mitigating CVE-2026-33648.</li>
<li>Deploy the Sigma rule <code>Detect AVideo Restreamer RCE Attempt</code> to identify exploitation attempts in web server logs.</li>
<li>Monitor web server logs for suspicious POST requests to <code>/restreamer</code> containing shell metacharacters in the request body to identify potential exploitation attempts, helping to mitigate CVE-2026-33648.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>avideo</category><category>rce</category><category>command-injection</category><category>web-application</category><category>linux</category></item></channel></rss>