This module exploits an Object Injection vulnerability in Kaltura. By exploiting this vulnerability, unauthenticated users can execute arbitrary code under the context of the web server user.
Kaltura has a module named keditorservices that takes user input and then uses it as an unserialized function parameter. The constructed object is based on the SektionEins Zend code execution POP chain PoC, with a minor modification to ensure Kaltura processes it and the Zend_Log function's __destruct() method is called. Kaltura versions prior to 11.1.0-2 are affected by this issue.
Kaltura has their own RPM and/or DEB packages to help us to install it without any issue. Following steps are slightly different than official wiki in order to install the vulnerable packages.
1. Install CentOS-6 x64 and run `yum update -y` in order to fetch and install the latest packages. Also setting the hostname to something like _kalturahack.dev_ would be wise, because it will be used during Kaltura installation.
5. Kaltura repo is configured for the latest version by default. We need to change it to one of the vulnerable releases. Thus, open `/etc/yum.repos.d/kaltura.repo` file with your favorite text editor and perform following replacement.
Service URL [http://kalrpm.lcl:80]: "<http://apache-hostname:80>"
Kaltura Admin user (email address): "<your email address>"
Admin user login password (must be minimum 8 chars and include at least one of each: upper-case, lower-case, number and a special character): "<your kaltura admin password>"
Confirm passwd: "<your kaltura admin password>"
Your time zone [see http://php.net/date.timezone], or press enter for [Europe/Amsterdam]: "<your timezone>"
How would you like to name your system (this name will show as the From field in emails sent by the system) [Kaltura Video Platform]? "<your preferred system name>"
Your website Contact Us URL [http://corp.kaltura.com/company/contact-us]: "<your contact URL>"
