|Serviio PRO 1.8 DLNA Media Streaming... - VULHUB开源网络安全威胁库

Serviio PRO 1.8 DLNA Media Streaming...

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### Summary Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network. ### Description The version of Serviio installed on the remote Windows host is affected by an unauthenticated remote code execution vulnerability due to improper access control enforcement of the Configuration REST API and unsanitized input when FFMPEGWrapper calls cmd.exe to execute system commands. A remote attacker can exploit this with a simple JSON request, gaining system access with SYSTEM privileges via a specially crafted request and escape sequence. ### Vendor Petr Nejedly | Six Lines Ltd - http://www.serviio.org ### Affected Version * 1.8.0.0 PRO * 1.7.1 * 1.7.0 * 1.6.1 ### Tested On * Restlet-Framework/2.2 * Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8 * Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8 * Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8 ### detail `org/serviio/ui/resources/server/ActionsServerResource.java`: ``` # ----------------------------------------------------------- # # private ResultRepresentation checkStreamUrl(ActionRepresentation representation) { # this.validateParameters(representation, 2); # try { # MediaFileType fileType = MediaFileType.valueOf(representation.getParameters().get(0)); # String url = StringUtils.trim(representation.getParameters().get(1)); # LocalItemMetadata md = MetadataFactory.getMetadataInstance(fileType); # DeliveryContext context = fileType == MediaFileType.VIDEO ? new VideoDeliveryContext(false, null) : new AudioDeliveryContext(false, null); # FFmpegMetadataRetriever.retrieveOnlineMetadata(md, url, context); # return this.responseOk(); # } # catch (InvalidMediaFormatException e) { # return this.responseOk(603); # } # ``` `serviio.jar / external / ProcessExecutor.java`: ``` # ---------------------------------------------- # # private Map<String, String> createWindowsRuntimeEnvironmentVariables() { # HashMap<String, String> newEnv = new HashMap<String, String>(); # newEnv.putAll(System.getenv()); # ProcessExecutorParameter[] i18n = new ProcessExecutorParameter[this.commandArguments.length + 2]; # i18n[0] = new ProcessExecutorParameter("cmd"); # i18n[1] = new ProcessExecutorParameter("/C"); # for (int counter = 0; counter < this.commandArguments.length; ++counter) { # ProcessExecutorParameter argument = this.commandArguments[counter]; # String envName = "JENV_" + counter; # i18n[counter + 2] = new ProcessExecutorParameter("%" + envName + "%"); # boolean quotesNeededForWindows = this.quotesNeededForWindows(argument); # if (!quotesNeededForWindows) { # argument = new ProcessExecutorParameter(this.escapeAmpersandForWindows(argument.getValue())); # } # newEnv.put(envName, this.wrapInQuotes(argument, quotesNeededForWindows)); # } # this.commandArguments = i18n; # String[] tempPath = FileUtils.splitFilePathToDriveAndRest(System.getProperty("java.io.tmpdir")); # newEnv.put("HOMEDRIVE", tempPath[0]); # newEnv.put("HOMEPATH", tempPath[1]); # newEnv.putAll(this.createFontConfigRuntimeEnvironmentVariables()); # if (log.isTraceEnabled()) { # log.trace(String.format("Env variables: %s", newEnv.toString())); # } # return newEnv; # } # # private String wrapInQuotes(ProcessExecutorParameter argument, boolean quotesNeeded) { # return (quotesNeeded ? "\"" : "") + argument + (quotesNeeded ? "\"" : ""); # } # # protected boolean quotesNeededForWindows(ProcessExecutorParameter argument) { # boolean quotesNeeded = argument.getValue().indexOf(" ") > -1; # return quotesNeeded; # } # # private String escapeAmpersandForWindows(String value) { # return value.replaceAll("&", "^&"); # } # ```

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™