Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution

Title: Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution
Advisory ID: ZSL-2017-5408
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 03.05.2017
Summary
Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.
Description
The version of Serviio installed on the remote Windows host is affected by an unauthenticated remote code execution vulnerability due to improper access control enforcement of the Configuration REST API and unsanitized input when FFMPEGWrapper calls cmd.exe to execute system commands. A remote attacker can exploit this with a simple JSON request, gaining system access with SYSTEM privileges via a specially crafted request and escape sequence.
Vendor
Petr Nejedly | Six Lines Ltd - http://www.serviio.org
Affected Version
1.8.0.0 PRO
1.7.1
1.7.0
1.6.1
Tested On
Restlet-Framework/2.2
Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
Vendor Status
[12.12.2016] Vulnerability discovered.
[02.05.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
PoC
serviio_rce.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Piet van Hekke!
References
[1] https://blogs.securiteam.com/index.php/archives/3094
[2] https://www.exploit-db.com/exploits/41961/
[3] https://cxsecurity.com/issue/WLB-2017050024
[4] https://packetstormsecurity.com/files/142387
[5] http://www.securitylab.ru/poc/486046.php
[6] https://www.exploit-db.com/exploits/42023/
[7] https://www.rapid7.com/db/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec
[8] https://exchange.xforce.ibmcloud.com/vulnerabilities/125643
Changelog
[03.05.2017] - Initial release
[05.05.2017] - Added reference [2], [3] and [4]
[08.05.2017] - Added reference [5]
[20.05.2017] - Added reference [6] and [7]
[30.05.2017] - Added reference [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk