s3 bucket takeover presented in https://github.com/obsproject/obs-plugintemplate/blob/9f8e6d86a1bc287d4232db81561e65b34180cd83/ci/macos/install-build-obs-macos.sh

Question

s3 bucket takeover presented in https://github.com/obsproject/obs-plugintemplate/blob/9f8e6d86a1bc287d4232db81561e65b34180cd83/ci/macos/install-build-obs-macos.sh

Gauravbhatia1211 opened this issue 3 years ago · 3 comments

Gauravbhatia1211 commented 3 years ago

Operating System Info

Windows 10

Other OS

No response

OBS Studio Version

Git

OBS Studio Version (Other)

No response

OBS Studio Log URL

https://github.com/obsproject/obs-plugintemplate/blob/9f8e6d86a1bc287d4232db81561e65b34180cd83/ci/macos/install-build-obs-macos.sh

OBS Studio Crash Log URL

No response

Expected Behavior

hey team,

the s3 bucket present in https://github.com/obsproject/obs-plugintemplate/blob/9f8e6d86a1bc287d4232db81561e65b34180cd83/ci/macos/install-build-obs-macos.sh in the code is unclaimed by you and the expected behavior of this is that you should not use unclaimed s3 bucket in the code for downloading of osx-deps-2018-08-09.tar.gz file.

Current Behavior

the s3 bucket present in https://github.com/obsproject/obs-plugintemplate/blob/9f8e6d86a1bc287d4232db81561e65b34180cd83/ci/macos/install-build-obs-macos.sh in the code is unclaimed by you and the current behavior of this is that you are using unclaimed s3 bucket in the code for downloading of osx-deps-2018-08-09.tar.gz file.

Steps to Reproduce

Create a s3 bucket with name obs-nightly and us west 2 region
Upload files with the name same as given in the code (e.g. osx-deps-2018-08-09.tar.gz)
Make the settings and change it as a static website
You have successfully taken the s3 bucket and now when any user runs the code the url with s3 get executed and an attacker can spread dangerous malware.

Anything else we should know?

Impact: An attacker can able to achieve remote code execution when any of the user runs the install-dependencies code due to unclaimed s3 bucket also an attacker can spread ransomware by adding his vulnerable payload

POC:

Link for the s3 bucket takenover poc:- https://obs-nightly.s3-us-west-2.amazonaws.com/index.html

Github link that shows the s3 bucket :- https://github.com/obsproject/obs-plugintemplate/blob/9f8e6d86a1bc287d4232db81561e65b34180cd83/ci/macos/install-build-obs-macos.sh

Answer 1 · 2021-08-15T13:58:46.000Z

To be fixed with #17

Answer 2 · 2021-08-15T14:07:42.000Z

Hey team,
I wanna know is there any bug bounty or other rewards for reporting this?

Regards,
Gaurav Bhatia

Answer 3 · 2021-11-05T16:28:30.000Z

We do not have any bug bounty programs, unfortunately, as we are an open source project. Thank you for this report, but as mentioned on the Discussion post that was created alongside this issue (please in the future do not make multiple reports of the same issue, one is fine) and as mentioned here, we don't use that build process anymore and this is simply a template stub that is not designed to be used as-is. It's just example code. Going to close this as it's fixed by pending PR #15