s3 bucket takeover presented in https://github.com/obsproject/obs-plugintemplate/blob/9f8e6d86a1bc287d4232db81561e65b34180cd83/ci/macos/install-build-obs-macos.sh
Gauravbhatia1211 opened this issue · 3 comments
Operating System Info
Windows 10
Other OS
No response
OBS Studio Version
Git
OBS Studio Version (Other)
No response
OBS Studio Log URL
OBS Studio Crash Log URL
No response
Expected Behavior
hey team,
the s3 bucket present in https://github.com/obsproject/obs-plugintemplate/blob/9f8e6d86a1bc287d4232db81561e65b34180cd83/ci/macos/install-build-obs-macos.sh in the code is unclaimed by you and the expected behavior of this is that you should not use unclaimed s3 bucket in the code for downloading of osx-deps-2018-08-09.tar.gz file.
Current Behavior
the s3 bucket present in https://github.com/obsproject/obs-plugintemplate/blob/9f8e6d86a1bc287d4232db81561e65b34180cd83/ci/macos/install-build-obs-macos.sh in the code is unclaimed by you and the current behavior of this is that you are using unclaimed s3 bucket in the code for downloading of osx-deps-2018-08-09.tar.gz file.
Steps to Reproduce
- Create a s3 bucket with name obs-nightly and us west 2 region
- Upload files with the name same as given in the code (e.g. osx-deps-2018-08-09.tar.gz)
- Make the settings and change it as a static website
- You have successfully taken the s3 bucket and now when any user runs the code the url with s3 get executed and an attacker can spread dangerous malware.
Anything else we should know?
Impact: An attacker can able to achieve remote code execution when any of the user runs the install-dependencies code due to unclaimed s3 bucket also an attacker can spread ransomware by adding his vulnerable payload
POC:
- Link for the s3 bucket takenover poc:- https://obs-nightly.s3-us-west-2.amazonaws.com/index.html
- Github link that shows the s3 bucket :- https://github.com/obsproject/obs-plugintemplate/blob/9f8e6d86a1bc287d4232db81561e65b34180cd83/ci/macos/install-build-obs-macos.sh
To be fixed with #17
Hey team,
I wanna know is there any bug bounty or other rewards for reporting this?
Regards,
Gaurav Bhatia
We do not have any bug bounty programs, unfortunately, as we are an open source project. Thank you for this report, but as mentioned on the Discussion post that was created alongside this issue (please in the future do not make multiple reports of the same issue, one is fine) and as mentioned here, we don't use that build process anymore and this is simply a template stub that is not designed to be used as-is. It's just example code. Going to close this as it's fixed by pending PR #15