MiniDVBLinux Authentication Bypass Vulnerability Allowing Unauthenticated Root Password Change
Vulnerability
An authentication bypass vulnerability has been identified in MiniDVBLinux version 5.4, allowing remote attackers to change the root password without any authentication. Exploitation involves sending crafted POST requests to the system setup endpoint, including modified SYSTEM_PASSWORD parameters to reset root credentials. The vulnerability arises from missing authentication for critical functions, enabling unauthorized access to system privileges.
Impact
Exploitation of this vulnerability allows for unauthorized password changes, potentially leading to unauthorized root access on the system.
Reproduction
To reproduce this vulnerability, send a POST request to the system setup endpoint with the SYSTEM_PASSWORD parameter set to the desired password. The request can be made without authentication, as the password check is disabled by default.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.