AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Twonky server login11/10/2023 ![]() ![]() ![]() And to restrict access to the web-based management interface, it requires to set a username and password for the ‘admin’ account. ![]() Looking at the web-based management interface, we noticed an RPC endpoint, which allowed us to query various configuration options. In particular, the following requests returned information about the admin user without the requirement of being authenticated. While the ‘accessuser’ option contained our configured username for the admin account, the ‘accesspwd’ option did not represent a cleartext password. It didn’t look like a hash value or properly encrypted string, either. Notably, changing the length of our password would result in a change of length of the ‘accesspwd’ value accordingly. This was suspicious enough to warrant a closer look. The algorithm used turned out to be a very weak obfuscation function, which consists of a simple transposition operation that could easily be reversed. This means that if you have the obfuscated string, you can get the cleartext password. We have developed a test script that allows users to determine whether a device is affected by this issue. This allowed us to gain admin access to affected Twonky Media servers and, among other things, disable the configured user authentication to then access media files that are managed by the server.Īs of now, shodan.io returns 7,987 results for a generic search, which is fewer than the 24,000 instances reported in 2018, but still a high number of media servers that may unintentionally be accessible via the Internet. If unpatched, the vulnerabilities described here may allow admin access to the management interface. The vulnerabilities were reported to the vendor on September 21, 2020, and they released Twonky Server 8.5.2 on Mato address the issues. Customers of our VulnDB solution were informed on March 2nd 2021. The research paper was published on March 16th 2021. The vendor has been responsive, but unfortunately would not provide us with a list of affected devices. B2B customers were reportedly given sufficient time to deploy the patches to their supported devices. “fixed password obfuscation and RPC security issues” The Twonky Server changelog only lists the fixed vulnerabilities as It is reasonable to let the vendor ensure that the update is distributed to their B2B customers and then be installed by all users of the consumer devices.Īs can be seen in the disclosure timeline, the vendor requested to extend the disclosure date on two occasions, which we agreed to. “security update fixes two recently discovered vulnerabilities that otherwise could have been potentially exploited to allow remote attackers to gain admin access to Twonky Server.” We also noticed a press release that actually references the vulnerabilities: Universal media server security password# Universal media server security password#.Universal media server security software#.Universal media server security update#. ![]()
0 Comments
Read More
Leave a Reply. |