lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 03 May 2017 01:35:45 +0000
From: Maor Shwartz <maors@...ondsecurity.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SSD Advisory – Serviio Media Server Multiple Vulnerabilities

SSD Advisory – Serviio Media Server Multiple Vulnerabilities
Link to the blog post: https://blogs.securiteam.com/index.php/archives/3094

Vulnerabilities Summary
The following advisory describes a five (5) vulnerabilities found in
Serviio Media Server. Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1.

Serviio is a free media server. It allows you to stream your media files
(music, video or images) to renderer devices (e.g. a TV set, Bluray player,
games console or mobile phone) on your connected home network.

Serviio works with many devices from your connected home (TV, Playstation
3, XBox 360, smart phones, tablets, etc.). It supports profiles for
particular devices so that it can be tuned to maximise the device’s
potential and/or minimize lack of media format playback support (via
transcoding).

Serviio is based on Java technology and therefore runs on most platforms,
including Windows, Mac and Linux (incl. embedded systems, e.g. NAS).

The vulnerabilities found in Serviio Media Server are:

   - Remote Code Execution
   - Local Privilege Escalation
   - Unauthenticated Password Modification
   - Information Disclosure
   - DOM-Based Cross-Site Scripting (XSS)

Credit
An independent security researcher has reported this vulnerability to
Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor Response
We have tried on numerous occasions over the past two months to contact the
vendor, all emails sent to them went unanswered.

*Vulnerabilities Details*

Remote Code Execution
Serviio Media Server is affected by an unauthenticated remote code
execution vulnerability due to improper access control enforcement of the
Configuration REST API and unsanitized input when *FFMPEGWrapper* calls
*cmd.exe* to execute system commands. A remote attacker can exploit this
with a simple *JSON* request, gaining system access with SYSTEM privileges
via a specially crafted request and escape sequence.

Vulnerable Code
Vulnerable file path:
org/serviio/ui/resources/server/ActionsServerResource.java
1
2
3
4
5
6
7
8
9
10
11
12
13
    private ResultRepresentation checkStreamUrl(ActionRepresentation
representation) {
        this.validateParameters(representation, 2);
        try {
            MediaFileType fileType = MediaFileType.valueOf(representation.
getParameters().get(0));
            String url = StringUtils.trim(representation.getParameters().get
(1));
            LocalItemMetadata md = MetadataFactory.getMetadataInstance(
fileType);
            DeliveryContext context = fileType == MediaFileType.VIDEO ? new
VideoDeliveryContext(false, null) : new AudioDeliveryContext(false, null);
            FFmpegMetadataRetriever.retrieveOnlineMetadata(md, url, context)
;
            return this.responseOk();
        }
        catch (InvalidMediaFormatException e) {
            return this.responseOk(603);
        }

Vulnerable file path: serviio.jar / external / ProcessExecutor.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
    private Map<String, String> createWindowsRuntimeEnvironmentVariables() {
        HashMap<String, String> newEnv = new HashMap<String, String>();
        newEnv.putAll(System.getenv());
        ProcessExecutorParameter[]
-- 

--
Thanks
Maor Shwartz
GPG Key ID: 93CC36E2DE7FF514

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists