Zero Science Lab » MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability

MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability

Title: MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability
Advisory ID: ZSL-2022-5717
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 16.10.2022

Summary

MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems.

Description

The application suffers from an OS command injection vulnerability. This can be exploited to execute arbitrary commands with root privileges.

Vendor

MiniDVBLinux - https://www.minidvblinux.de

Affected Version

<=5.4

Tested On

MiniDVBLinux 5.4
BusyBox v1.25.1
Architecture: armhf, armhf-rpi2
GNU/Linux 4.19.127.203 (armv7l)
VideoDiskRecorder 2.4.6

Vendor Status

[24.09.2022] Vulnerability discovered.
[27.09.2022] Vendor contacted.
[15.10.2022] No response from the vendor.
[16.10.2022] Public security advisory released.

PoC

mldhd_root2.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/168744/
[2] https://cxsecurity.com/issue/WLB-2022100049
[3] https://www.exploit-db.com/exploits/51096

Changelog

[16.10.2022] - Initial release
[04.12.2022] - Added reference [1] and [2]
[10.04.2023] - Added reference [3]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk