← Advisories

Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Password Change

High
Advisory ID
ZSL-2017-5407
Release Date
03 May 2017
Vendor
Petr Nejedly, Six Lines Ltd - http://www.serviio.org
Affected Version
1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
CVE
CVE-2017-20220
Tested On
Restlet-Framework/2.2, Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8, Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8, Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
Summary

Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.

Description

The version of Serviio installed on the remote Windows/Linux host is affected by an unauthenticated password modification vulnerability due to improper access control enforcement of the Configuration REST API. A remote attacker can exploit this, via a specially crafted request, to change the login password for the mediabrowser protected page.

Proof of Concept
serviio_pwd.pyTXT
Disclosure Timeline
12.12.2016Vulnerability discovered.
02.05.2017Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://blogs.securiteam.com/index.php/archives/3094
[2]https://www.exploit-db.com/exploits/41960/
[3]https://packetstormsecurity.com/files/142386
[4]https://cxsecurity.com/issue/WLB-2017050025
[5]http://www.securitylab.ru/poc/486047.php
[6]https://exchange.xforce.ibmcloud.com/vulnerabilities/125645
[7]https://www.cve.org/CVERecord?id=CVE-2017-20220
Changelog
03.05.2017Initial release
05.05.2017Added reference [2], [3] and [4]
08.05.2017Added reference [5]
30.05.2017Added reference [6]
24.03.2026Added reference [7]