Title: Ateme TITAN File 3.9 Job Callbacks SSRF File Enumeration
Advisory ID: ZSL-2023-5781
Type: Local/Remote
Impact: Exposure of System Information
Risk: (3/5)
Release Date: 07.07.2023

Summary

TITAN File is a multi-codec/format video transcoding software, for mezzanine, STB and ABR VOD, PostProduction, Playout and Archive applications. TITAN File is based on ATEME 5th Generation STREAM compression engine and delivers the highest video quality at minimum bitrates with accelerated parallel processing.

Description

Authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the Titan File video transcoding software. The application parses user supplied data in the job callback url GET parameter. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP/DNS/File request to an arbitrary destination. This can be used by an external attacker for example to bypass firewalls and initiate a service, file and network enumeration on the internal network through the affected application.

Vendor

Ateme - https://www.ateme.com

Affected Version

3.9.12.4
3.9.11.0
3.9.9.2
3.9.8.0

Tested On

Microsoft Windows
NodeJS
Ateme KFE Software

Vendor Status

[22.04.2023] Vulnerability discovered.
[23.04.2023] Vendor contacted.
[06.07.2023] No response from the vendor.
[07.07.2023] Public security advisory released.

PoC

ateme_ssrf.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://www.exploit-db.com/exploits/51582
[2] https://packetstormsecurity.com/files/173384/
[3] https://cxsecurity.com/issue/WLB-2023070029
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/263694

Changelog

[07.07.2023] - Initial release
[26.07.2023] - Added reference [1], [2] and [3]
[31.08.2023] - Added reference [4]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk