← Advisories

Teradek VidiU Pro 3.0.3 (snapshot.cgi) Stream Disclosure

Medium
Advisory ID
ZSL-2018-5462
Release Date
21 May 2018
Vendor
Teradek, LLC - https://www.teradek.com
Affected Version
VidiU, VidiU Mini, VidiU Pro, 3.0.3 (build 32136), 3.0.2 (build 31225), 2.4.10
CVE
N/A
Tested On
lighttpd/1.4.48, lighttpd/1.4.31
Summary

The Teradek VidiU gives you the freedom to broadcast live high definition video directly to the Web without a PC. Whether you're streaming out of a video switcher or wirelessly from your camera, VidiU allows you to go live when you want, where you want. VidiU offers API level integration with the Ustream, YouTube Live and Livestream platforms, which makes streaming to your channel as easy as logging into your account.

Description

VidiU suffers from an unauthenticated and unauthorized live stream disclosure when snapshot.cgi script is called.

Proof of Concept
teradek_vidiu_stream.txtTXT
Disclosure Timeline
02.03.2018Vulnerability discovered.
08.05.2018Vendor contacted.
08.05.2018Vendor replied asking more details.
08.05.2018Sent details to the vendor.
10.05.2018Asked vendor for status update.
13.05.2018No response from the vendor.
14.05.2018Asked vendor for status update.
20.05.2018No response from the vendor.
21.05.2018Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://exchange.xforce.ibmcloud.com/vulnerabilities/143720
[2]https://cxsecurity.com/issue/WLB-2018050171
[3]https://packetstormsecurity.com/files/147790
Changelog
21.05.2018Initial release
29.05.2018Added reference [1], [2] and [3]