s3 bucket takeover in obs-plugintemplate/ci/macos/install-build-obs-macos.sh and obs-plugintemplate/ci/macos/install-dependencies-macos.sh that can lead to rce

[Gauravbhatia1211]

Hey team,

Summary:

I have found that in the code of install-build-obs-macos.sh and install-dependencies-macos.sh in obs-plugintemplate/ci/macos on github(https://github.com/obsproject/obs-plugintemplate/blob/9f8e6d86a1bc287d4232db81561e65b34180cd83/ci/macos/install-build-obs-macos.sh , https://github.com/obsproject/obs-plugintemplate/blob/9f8e6d86a1bc287d4232db81561e65b34180cd83/ci/macos/install-dependencies-macos.sh) contains a s3 bucket which was unclaimed i.e (https://obs-nightly.s3-us-west-2.amazonaws.com)

Steps To Reproduce:

1.Create a s3 bucket with name obs-nightly and us west 2 region
2. Upload files with the name same as given in the code (e.g. Packages.pkg, osx-deps-2018-08-09.tar.gz)
3. Make the settings and change it as a static website
4. You have successfully taken the s3 bucket and now when any user runs the code the url with s3 get executed and an attacker
can spread dangerous malware and also can get rce.

POC:

1. Link for the s3 bucket takenover :- https://obs-nightly.s3-us-west-2.amazonaws.com/index.html
   

2. Github link that shows the s3 bucket :- https://github.com/obsproject/obs-plugintemplate/blob/9f8e6d86a1bc287d4232db81561e65b34180cd83/ci/macos/install-build-obs-macos.sh
   

3. Github link that shows the s3 bucket :- https://github.com/obsproject/obs-plugintemplate/blob/9f8e6d86a1bc287d4232db81561e65b34180cd83/ci/macos/install-dependencies-macos.sh
   

Remediaton

You should remove the unclaimed s3 bucket from the code and claim your official s3 bucket as soon as possible from both the codes as it possess a critical risk

Impact

An attacker can takeover the s3 bucket and can host his malicious content with the name (Packages.pkg, osx-deps-2018-08-09.tar.gz) as presented in the code and can achieve remote code execution and also can spread ransomware and many malicious files. This bug has a critical impact because the code of the tool that many people uses, contains unclaimed s3 bucket.

Note

Can i get a cve for this ? Also let me know if you need a video poc for it.

Regards,
Gaurav Bhatia

[Fenrirthviti]

As far as I'm aware, this is just a the plugin template repo which is outdated and pointing to things we don't use anymore such as that shell script. We haven't hosted any real packages on those for a while, which is why they are unclaimed. This is already going to be fixed by obsproject/obs-plugintemplate#15, so there's really no sense in fussing over this, IMO. That PR just needs to be given a final review and merged.

[Gauravbhatia1211]

Hey team,
The bucket is officially of obs-studio and also the shell file is also publicly accessible. Due to which many other people are using obs-nightly bucket and also the code. I request you to be please look into this deeply and let me know if it's eligible for bug bounty.

Regards,
Gaurav Bhatia

[Fenrirthviti]

We do not have a bug bounty program.

[Gauravbhatia1211]

Hey team,

I have seen that u give bounties for submitting a bug like u did in this #5074

Also many companies like alibaba using obs-nightly bucket also you can read my report that I reported to reddit on hackerone
https://hackerone.com/reports/1285598

[Fenrirthviti]

That's not a bug bounty, that's a feature bounty.

Again we do not have a bug bounty program and this is not really a valid bug report as the repo is example code. We haven't used those scripts on the main repository in quite some time and there is no risk of anything being exposed.

Thank you for the effort being put in here for what you think is a major issue, but it's really not. We don't use any of this anymore, and the repo just need to be completely rewritten, of which there is a pending PR for.

[Fenrirthviti]

We've landed the changes that were pending in the PR, so this is now resolved and the code no longer exists. It was removed from the primary repository a long while back: 2ca1521 around here, when we updated to the new build system.