Serviio Media Server Command Injection Vulnerability in REST API Endpoint

A command injection vulnerability allowing unauthenticated arbitrary command execution has been identified in Serviio Media Server versions 1.4 through 1.8 on Windows. The vulnerability resides in the '/rest/action' API endpoint, exposed by the console component on the default port 23423. The issue arises because the 'checkStreamUrl' method accepts a VIDEO parameter that is passed to 'cmd.exe' without proper sanitization, enabling command execution under the web server's privileges. The REST API is exposed by default and lacks access controls, allowing exploitation without authentication.

Impact

Exploitation of this vulnerability leads to unauthorized command execution on the server, with SYSTEM privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/rest/action' endpoint with a crafted 'checkStreamUrl' action. The 'VIDEO' parameter can be manipulated to include command execution payloads, such as escape sequences that are interpreted by the Windows command processor. This exploitation can be automated with a Python script that constructs the appropriate request, or through a Metasploit module designed for this vulnerability.