Download the Ace DVD to Media Server Ripper In case you need to test whether your Twonky Server instance is affected – and we recommend you to do so – you can check the following endpoints. It is recommended to ensure that you run an updated Twonky Server version on your NAS or router devices. It’s good to hear that the “ security updates would benefit end users”, but it is disappointing that they chose not to mention the source of the vulnerability information (our researchers) or that it was a coordinated disclosure. “security update fixes two recently discovered vulnerabilities that otherwise could have been potentially exploited to allow remote attackers to gain admin access to Twonky Server.” We also noticed a press release that actually references the vulnerabilities: “fixed password obfuscation and RPC security issues” The Twonky Server changelog only lists the fixed vulnerabilities as It is reasonable to let the vendor ensure that the update is distributed to their B2B customers and then be installed by all users of the consumer devices. As can be seen in the disclosure timeline, the vendor requested to extend the disclosure date on two occasions, which we agreed to. B2B customers were reportedly given sufficient time to deploy the patches to their supported devices. The vendor has been responsive, but unfortunately would not provide us with a list of affected devices.
The research paper was published on March 16th 2021. Customers of our VulnDB solution were informed on March 2nd 2021. The vulnerabilities were reported to the vendor on September 21, 2020, and they released Twonky Server 8.5.2 on Mato address the issues. If unpatched, the vulnerabilities described here may allow admin access to the management interface. This allowed us to gain admin access to affected Twonky Media servers and, among other things, disable the configured user authentication to then access media files that are managed by the server.Īs of now, shodan.io returns 7,987 results for a generic search, which is fewer than the 24,000 instances reported in 2018, but still a high number of media servers that may unintentionally be accessible via the Internet. We have developed a test script that allows users to determine whether a device is affected by this issue. This means that if you have the obfuscated string, you can get the cleartext password. The algorithm used turned out to be a very weak obfuscation function, which consists of a simple transposition operation that could easily be reversed. This was suspicious enough to warrant a closer look. Notably, changing the length of our password would result in a change of length of the ‘accesspwd’ value accordingly. It didn’t look like a hash value or properly encrypted string, either. While the ‘accessuser’ option contained our configured username for the admin account, the ‘accesspwd’ option did not represent a cleartext password. In particular, the following requests returned information about the admin user without the requirement of being authenticated. Looking at the web-based management interface, we noticed an RPC endpoint, which allowed us to query various configuration options. And to restrict access to the web-based management interface, it requires to set a username and password for the ‘admin’ account. Twonky Server allows restricting access to the shared media folders by enabling the ‘Multi User’ mode in the settings tab of the web-based management interface. However, when it comes to media files that are rather private, authentication is an essential feature for preventing unauthorized access to your data. Sharing photos and videos on the Internet is a decision everyone has to make for themselves. In combination with another vulnerability ( VulnDB 177851 / CVE-2018-9148), a remote attacker was able to gain admin access to the Twonky Server web interface.Īt the time, it was recommended to protect Twonky Server installation with password authentication to prevent exploitation of the above vulnerabilities. To get an idea about the vulnerability history of the product, we ran a quick query in VulnDB and noticed a few entries, with the latest ones dating back to 2018.Īccording to a blog post by modzero from 2018, one of the later vulnerabilities was a path traversal issue that allows to disclose filenames on the system ( VulnDB 177763 / CVE-2018-7171). for PCs/Macs) or an embedded server for devices such as NAS, routers/gateways and STBs”. According to the vendor, it “ enables sharing media content between connected devices” and ” is available as a standalone server (end user installable, e.g.
Twonky Server is a DLNA / UPnP Media Server from Lynx Technology. But it is our research findings that are far more interesting and important. Let’s just say, its conspicuous name played a role. There is a long story about how we came to examine software called Twonky Server, but it’s not particularly exciting so we’ll skip right over that.
0 kommentar(er)
