GHSL-2023-088: Arbitrary File Read in Ombi - CVE-2023-32322

Coordinated Disclosure Timeline

• 2023-04-25: Submitted advisory to Ombi PVR
• 2023-05-17: Patch Applied to release v4.41.1
• 2023-05-20: CVE-2023-32322 assigned

Summary

Ombi, an application that allows users to request specific media from popular self-hosted streaming servers, contains a vulnerability that allows administrators to read arbitrary files on the Ombi host.

Product

Ombi

Tested Version

v4.36.1

Details

Arbitrary File Read in SystemController.cs (GHSL-2023-088)

An arbitrary file read vulnerability is present in ReadLogFile and Download endpoints in SystemControllers.cs as the parameter logFileName is not sanitized before being combined with the Logs directory. When using Path.Combine(arg1, arg2, arg3), an attacker may be able to escape to folders/files outside of Path.Combine(arg1, arg2) by using “..” in arg3. In addition, by specifying an absolute path for arg3, Path.Combine will completely ignore the first two arguments and just return just arg3.

public async Task<IActionResult> ReadLogFile(string logFileName, CancellationToken token)
        {
            var logFile = Path.Combine(string.IsNullOrEmpty(Ombi.Helpers.StartupSingleton.Instance.StoragePath) ? _hosting.ContentRootPath : Helpers.StartupSingleton.Instance.StoragePath, "Logs", logFileName);
            using (var fs = new FileStream(logFile, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))

Note: I receive File errors when using the Download endpoint, but due to the similarity of the code in the two functions, it is clear that both endpoints share the same vulnerability.

public IActionResult Download(string logFileName, CancellationToken token)
        {
            var logFile = Path.Combine(string.IsNullOrEmpty(Ombi.Helpers.StartupSingleton.Instance.StoragePath) ? _hosting.ContentRootPath : Helpers.StartupSingleton.Instance.StoragePath, "Logs", logFileName);
            using (var fs = new FileStream(logFile, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))

Impact

This vulnerability can lead to information disclosure. The Ombi documentation suggests running Ombi as a Service (background process) and giving the service Administrator privileges. An attacker targeting such an application may be able to read the files of any Windows user on the host machine and certain system files. Since the host can be shared, it is not implied that Ombi users with the administrator role should be able to read arbitrary system files or files from other users.

Proof of Concept

In order to trigger the vulnerability, use the following curl command:

curl -i -s -k -X $'GET' -H $'Host: localhost:3577' -H $'Accept: application/json, text/plain, */*' -H $'Authorization: Bearer <insert admin cookie>' -H $'User-Agent: curl' $'http://localhost:3577/api/v2/system/logs/<insert full path to file>'

CVE

• CVE-2023-32322

Resources

• This vulnerability was found with the help of this CodeQL Query
• Advisory

Credit

This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-088 in any communication regarding this issue.