CVE-2017-14143
published 2017-09-19CVE-2017-14143: The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass…
PriorityP278critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
75.50%
99.5th percentile
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and execute arbitrary PHP code via a crafted userzone cookie.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaltura | kaltura_server | <= mercury-13.1.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to /index.php/keditorservices/getAllEntries with a 'userzone' cookie present — this is the specific endpoint and cookie name used by the exploit to deliver the PHP object injection payload. ↗
- →Detect unauthenticated requests to the getAllEntries keditorservices endpoint with a list_type=15 parameter combined with a userzone cookie, which is the exact exploit request pattern. ↗
- →Flag PHP object injection attempts via the userzone cookie; the exploit constructs a POP chain payload (SektionEins Zend code execution PoC) serialized and base64-encoded within the cookie value. ↗
- ·The exploit requires a valid entry_id from any media resource on the target Kaltura installation; without it the exploit will fail. Defenders should note that any publicly accessible media entry_id is sufficient for an attacker. ↗
- ·The vulnerability affects Kaltura versions prior to 13.2.0 (NVD) / 13.1.0 (module description discrepancy); patch to 13.2.0 or later to remediate. ↗
- ·The module was tested against Kaltura 13.1.0-2 on Ubuntu 14.04; behavior on other OS/version combinations may differ. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Kaltura - Remote PHP Code Execution over Cookie (Metasploit)
exploitdb·2018-01-24
CVE-2017-14143 Kaltura - Remote PHP Code Execution over Cookie (Metasploit)
Kaltura - Remote PHP Code Execution over Cookie (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Kaltura Remote PHP Code Execution over Cookie',
'Description' => %q{
This module exploits an Object Injection vulnerability in Kaltura.
By exploiting this vulnerability, unauthenticated users can execute
arbitrary code under the context of the web server user.
Kaltura makes use of a hardcoded cookie secret which allows to sign
arbitrary cookie data. After passing this signature check, the base64-
decoded data is passed to PHPs unserialize() function which allows for
code execution. The constructed object is again based on the SektionEins
Zend code execution POP c
Exploit-DB
Kaltura < 13.2.0 - Remote Code Execution
exploitdb·2017-10-23·CVSS 9.8
CVE-2017-14143 [CRITICAL] Kaltura < 13.2.0 - Remote Code Execution
Kaltura " % sys.argv[0])
print(" example: %s http://example.com 0_abc1234 system('id')" % sys.argv[0])
sys.exit(0)
host = sys.argv[1]
entry_id = sys.argv[2]
cmd = sys.argv[3]
print("[~] host: %s" % host)
print("[~] entry_id: %s" % entry_id)
print("[~] php_code: %s" % cmd)
result = exploit(sys.argv[1], sys.argv[2], sys.argv[3])
print(result)
Metasploit
Kaltura Remote PHP Code Execution over Cookie
metasploit
Kaltura Remote PHP Code Execution over Cookie
Kaltura Remote PHP Code Execution over Cookie
This module exploits an Object Injection vulnerability in Kaltura. By exploiting this vulnerability, unauthenticated users can execute arbitrary code under the context of the web server user. Kaltura makes use of a hardcoded cookie secret which allows to sign arbitrary cookie data. After passing this signature check, the base64- decoded data is passed to PHPs unserialize() function which allows for code execution. The constructed object is again based on the SektionEins Zend code execution POP chain PoC. Kaltura versions prior to 13.1.0 are affected by this issue. A valid entry_id (which is required for this exploit) can be obtained from any media resource published on the kaltura installation. This module was tested against Kaltura 13.1.0-2 i
No writeups or analysis indexed.
http://www.securityfocus.com/bid/100976https://github.com/kaltura/server/commit/6a6d14328b7a1493e8c47f9565461e5f88be20c9#diff-0770640cc76112cbf77bebc604852682https://telekomsecurity.github.io/assets/advisories/20170912_kaltura-advisory.txthttps://www.exploit-db.com/exploits/43028/https://www.exploit-db.com/exploits/43876/http://www.securityfocus.com/bid/100976https://github.com/kaltura/server/commit/6a6d14328b7a1493e8c47f9565461e5f88be20c9#diff-0770640cc76112cbf77bebc604852682https://telekomsecurity.github.io/assets/advisories/20170912_kaltura-advisory.txthttps://www.exploit-db.com/exploits/43028/https://www.exploit-db.com/exploits/43876/
2017-09-19
Published