Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Password Change

Title: Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Password Change
Advisory ID: ZSL-2017-5407
Type: Local/Remote
Impact: Manipulation of Data, Security Bypass
Risk: (4/5)
Release Date: 03.05.2017
Summary
Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.
Description
The version of Serviio installed on the remote Windows/Linux host is affected by an unauthenticated password modification vulnerability due to improper access control enforcement of the Configuration REST API. A remote attacker can exploit this, via a specially crafted request, to change the login password for the mediabrowser protected page.
Vendor
Petr Nejedly | Six Lines Ltd - http://www.serviio.org
Affected Version
1.8.0.0 PRO
1.7.1
1.7.0
1.6.1
Tested On
Restlet-Framework/2.2
Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
Vendor Status
[12.12.2016] Vulnerability discovered.
[02.05.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
PoC
serviio_pwd.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://blogs.securiteam.com/index.php/archives/3094
[2] https://www.exploit-db.com/exploits/41960/
[3] https://packetstormsecurity.com/files/142386
[4] https://cxsecurity.com/issue/WLB-2017050025
[5] http://www.securitylab.ru/poc/486047.php
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/125645
Changelog
[03.05.2017] - Initial release
[05.05.2017] - Added reference [2], [3] and [4]
[08.05.2017] - Added reference [5]
[30.05.2017] - Added reference [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk