Headline
MiniDVBLinux 5.4 Config Download Exploit
The application is vulnerable to unauthenticated configuration download when direct object reference is made to the backup function using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.
Title: MiniDVBLinux 5.4 Config Download Exploit
Advisory ID: ZSL-2022-5713
Type: Local/Remote
Impact: Security Bypass, Exposure of System Information, Exposure of Sensitive Information, System Access, DoS, Privilege Escalation
Risk: (5/5)
Release Date: 16.10.2022
Summary
MiniDVBLinux™ Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems.
Description
The application is vulnerable to unauthenticated configuration download when direct object reference is made to the backup function using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.
Vendor
MiniDVBLinux - https://www.minidvblinux.de
Affected Version
<=5.4
Tested On
MiniDVBLinux 5.4
BusyBox v1.25.1
Architecture: armhf, armhf-rpi2
GNU/Linux 4.19.127.203 (armv7l)
VideoDiskRecorder 2.4.6
Vendor Status
[24.09.2022] Vulnerability discovered.
[27.09.2022] Vendor contacted.
[15.10.2022] No response from the vendor.
[16.10.2022] Public security advisory released.
PoC
mldhd_config.txt
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
N/A
Changelog
[16.10.2022] - Initial release
Contact
Zero Science Lab
Web: https://www.zeroscience.mk
e-mail: [email protected]