GitHub Security Lab (GHSL) Vulnerability Report, Ombi: GHSL-2023-088
The GitHub Security Lab team has identified a potential security vulnerability in Ombi.
We are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team.
If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at [email protected] (please include GHSL-2023-088 as a reference).
If you are NOT the correct point of contact for this report, please let us know!
Summary
Ombi, an application that allows users to request specific media from popular self-hosted streaming servers, contains a vulnerability that allows administrators to read arbitrary files on the Ombi host.
Product
Ombi
Tested Version
v4.36.1
Details
Arbitrary File Read in SystemController.cs (GHSL-2023-088)
An arbitrary file read vulnerability is present in ReadLogFile and Download endpoints in SystemControllers.cs as the parameter logFileName is not sanitized before being combined with the Logs directory.
When using Path.Combine(arg1, arg2, arg3), an attacker may be able to escape to folders/files outside of Path.Combine(arg1, arg2) by using ".." in arg3. In addition, by specifying an absolute path for arg3, Path.Combine will completely ignore the first two arguments and just return just arg3.
public async Task<IActionResult> ReadLogFile(string logFileName, CancellationToken token)
{
var logFile = Path.Combine(string.IsNullOrEmpty(Ombi.Helpers.StartupSingleton.Instance.StoragePath) ? _hosting.ContentRootPath : Helpers.StartupSingleton.Instance.StoragePath, "Logs", logFileName);
using (var fs = new FileStream(logFile, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))Note: I receive File errors when using the Download endpoint, but due to the similarity of the code in the two functions, it is clear that both endpoints share the same vulnerability.
public IActionResult Download(string logFileName, CancellationToken token)
{
var logFile = Path.Combine(string.IsNullOrEmpty(Ombi.Helpers.StartupSingleton.Instance.StoragePath) ? _hosting.ContentRootPath : Helpers.StartupSingleton.Instance.StoragePath, "Logs", logFileName);
using (var fs = new FileStream(logFile, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))Impact
This vulnerability can lead to information disclosure. The Ombi documentation suggests running Ombi as a Service (background process) and giving the service Administrator privileges. An attacker targeting such an application may be able to read the files of any Windows user on the host machine and certain system files. Since the application can be shared, it is not implied that Ombi users with the administrator role should be able to read arbitrary files from the host.
Proof of Concept
In order to trigger the vulnerability, use the following curl command:
curl -i -s -k -X $'GET' -H $'Host: localhost:3577' -H $'Accept: application/json, text/plain, */*' -H $'Authorization: Bearer <insert admin cookie>' -H $'User-Agent: curl' $'http://localhost:3577/api/v2/system/logs/<insert full path to file>'
Remediation
Ensure the combined path (variable logFile) is within the Logs directory by using Path.GetFullPath to get the absolute path and comparing that to the expected path.
GitHub Security Advisories
We recommend you create a private GitHub Security Advisory for this finding. This also allows you to invite the GHSL team to collaborate and further discuss this finding in private before it is published.
Credit
This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at [email protected], please include a reference to GHSL-2023-088 in any communication regarding this issue.
Disclosure Policy
This report is subject to our coordinated disclosure policy. Please note that we have a 90 day disclosure policy, meaning any findings may be reported publicly after 90 days.
Kwstubbs Finder
GitHub Security Lab (GHSL) Vulnerability Report, Ombi:
GHSL-2023-088The GitHub Security Lab team has identified a potential security vulnerability in Ombi.
We are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team.
If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at
[email protected](please includeGHSL-2023-088as a reference).If you are NOT the correct point of contact for this report, please let us know!
Summary
Ombi, an application that allows users to request specific media from popular self-hosted streaming servers, contains a vulnerability that allows administrators to read arbitrary files on the Ombi host.
Product
Ombi
Tested Version
v4.36.1
Details
Arbitrary File Read in
SystemController.cs(GHSL-2023-088)An arbitrary file read vulnerability is present in
ReadLogFileandDownloadendpoints inSystemControllers.csas the parameterlogFileNameis not sanitized before being combined with theLogsdirectory.When using
Path.Combine(arg1, arg2, arg3), an attacker may be able to escape to folders/files outside ofPath.Combine(arg1, arg2)by using ".." inarg3. In addition, by specifying an absolute path forarg3,Path.Combinewill completely ignore the first two arguments and just return justarg3.Note: I receive File errors when using the
Downloadendpoint, but due to the similarity of the code in the two functions, it is clear that both endpoints share the same vulnerability.Impact
This vulnerability can lead to information disclosure. The Ombi documentation suggests running Ombi as a Service (background process) and giving the service Administrator privileges. An attacker targeting such an application may be able to read the files of any Windows user on the host machine and certain system files. Since the application can be shared, it is not implied that Ombi users with the administrator role should be able to read arbitrary files from the host.
Proof of Concept
In order to trigger the vulnerability, use the following curl command:
Remediation
Ensure the combined path (variable
logFile) is within theLogsdirectory by usingPath.GetFullPathto get the absolute path and comparing that to the expected path.GitHub Security Advisories
We recommend you create a private GitHub Security Advisory for this finding. This also allows you to invite the GHSL team to collaborate and further discuss this finding in private before it is published.
Credit
This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
Contact
You can contact the GHSL team at
[email protected], please include a reference toGHSL-2023-088in any communication regarding this issue.Disclosure Policy
This report is subject to our coordinated disclosure policy. Please note that we have a 90 day disclosure policy, meaning any findings may be reported publicly after 90 days.