Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution
Title: Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution
Advisory ID: ZSL-2017-5408
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 03.05.2017
1.7.1
1.7.0
1.6.1
Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
[02.05.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
High five to Piet van Hekke!
[2] https://www.exploit-db.com/exploits/41961/
[3] https://cxsecurity.com/issue/WLB-2017050024
[4] https://packetstormsecurity.com/files/142387
[5] http://www.securitylab.ru/poc/486046.php
[6] https://www.exploit-db.com/exploits/42023/
[7] https://www.rapid7.com/db/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec
[8] https://exchange.xforce.ibmcloud.com/vulnerabilities/125643
[05.05.2017] - Added reference [2], [3] and [4]
[08.05.2017] - Added reference [5]
[20.05.2017] - Added reference [6] and [7]
[30.05.2017] - Added reference [8]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2017-5408
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 03.05.2017
Summary
Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.Description
The version of Serviio installed on the remote Windows host is affected by an unauthenticated remote code execution vulnerability due to improper access control enforcement of the Configuration REST API and unsanitized input when FFMPEGWrapper calls cmd.exe to execute system commands. A remote attacker can exploit this with a simple JSON request, gaining system access with SYSTEM privileges via a specially crafted request and escape sequence.Vendor
Petr Nejedly | Six Lines Ltd - http://www.serviio.orgAffected Version
1.8.0.0 PRO1.7.1
1.7.0
1.6.1
Tested On
Restlet-Framework/2.2Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
Vendor Status
[12.12.2016] Vulnerability discovered.[02.05.2017] Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.
PoC
serviio_rce.pyCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>High five to Piet van Hekke!
References
[1] https://blogs.securiteam.com/index.php/archives/3094[2] https://www.exploit-db.com/exploits/41961/
[3] https://cxsecurity.com/issue/WLB-2017050024
[4] https://packetstormsecurity.com/files/142387
[5] http://www.securitylab.ru/poc/486046.php
[6] https://www.exploit-db.com/exploits/42023/
[7] https://www.rapid7.com/db/modules/exploit/windows/http/serviio_checkstreamurl_cmd_exec
[8] https://exchange.xforce.ibmcloud.com/vulnerabilities/125643
Changelog
[03.05.2017] - Initial release[05.05.2017] - Added reference [2], [3] and [4]
[08.05.2017] - Added reference [5]
[20.05.2017] - Added reference [6] and [7]
[30.05.2017] - Added reference [8]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
