[BreachExchange] Twonky Server – Beware What You (Unintentionally) Share

Destry Winant destry at riskbasedsecurity.com
Tue Mar 16 10:45:03 EDT 2021 

https://www.riskbasedsecurity.com/2021/03/16/twonky-server-beware-what-you-unintentionally-share/

There is a long story about how we came to examine software called
Twonky Server, but it’s not particularly exciting so we’ll skip right
over that. Let’s just say, its conspicuous name played a role. But it
is our research findings that are far more interesting and important.

Twonky Server is a DLNA / UPnP Media Server from Lynx Technology.
According to the vendor, it “enables sharing media content between
connected devices” and ”is available as a standalone server (end user
installable, e.g. for PCs/Macs) or an embedded server for devices such
as NAS, routers/gateways and STBs”.

To get an idea about the vulnerability history of the product, we ran
a quick query in VulnDB and noticed a few entries, with the latest
ones dating back to 2018.

According to a blog post by modzero from 2018, one of the later
vulnerabilities was a path traversal issue that allows to disclose
filenames on the system (VulnDB 177763 / CVE-2018-7171). In
combination with another vulnerability (VulnDB 177851 /
CVE-2018-9148), a remote attacker was able to gain admin access to the
Twonky Server web interface.

At the time, it was recommended to protect Twonky Server installation
with password authentication to prevent exploitation of the above
vulnerabilities. Sharing photos and videos on the Internet is a
decision everyone has to make for themselves. However, when it comes
to media files that are rather private, authentication is an essential
feature for preventing unauthorized access to your data.

Twonky Server allows restricting access to the shared media folders by
enabling the ‘Multi User’ mode in the settings tab of the web-based
management interface. And to restrict access to the web-based
management interface, it requires to set a username and password for
the ‘admin’ account.

Looking at the web-based management interface, we noticed an RPC
endpoint, which allowed us to query various configuration options. In
particular, the following requests returned information about the
admin user without the requirement of being authenticated.

http://[host]/rpc/get_all
http://[host]/rpc/get_option?accessuser
http://[host]/rpc/get_option?accesspwd

While the ‘accessuser’ option contained our configured username for
the admin account, the ‘accesspwd’ option did not represent a
cleartext password. It didn’t look like a hash value or properly
encrypted string, either. Notably, changing the length of our password
would result in a change of length of the ‘accesspwd’ value
accordingly. This was suspicious enough to warrant a closer look. The
algorithm used turned out to be a very weak obfuscation function,
which consists of a simple transposition operation that could easily
be reversed. This means that if you have the obfuscated string, you
can get the cleartext password. We have developed a test script that
allows users to determine whether a device is affected by this issue.

This allowed us to gain admin access to affected Twonky Media servers
and, among other things, disable the configured user authentication to
then access media files that are managed by the server.

As of now, shodan.io returns 7,987 results for a generic search, which
is fewer than the 24,000 instances reported in 2018, but still a high
number of media servers that may unintentionally be accessible via the
Internet. If unpatched, the vulnerabilities described here may allow
admin access to the management interface.

The vulnerabilities were reported to the vendor on September 21, 2020,
and they released Twonky Server 8.5.2 on March 1, 2021 to address the
issues. Customers of our VulnDB solution were informed on March 2nd
2021. The research paper was published on March 16th 2021.

The vendor has been responsive, but unfortunately would not provide us
with a list of affected devices. B2B customers were reportedly given
sufficient time to deploy the patches to their supported devices. As
can be seen in the disclosure timeline, the vendor requested to extend
the disclosure date on two occasions, which we agreed to. It is
reasonable to let the vendor ensure that the update is distributed to
their B2B customers and then be installed by all users of the consumer
devices.

The Twonky Server changelog only lists the fixed vulnerabilities as

“fixed password obfuscation and RPC security issues”

We also noticed a press release that actually references the vulnerabilities:

“security update fixes two recently discovered vulnerabilities that
otherwise could have been potentially exploited to allow remote
attackers to gain admin access to Twonky Server.”

It’s good to hear that the “security updates would benefit [their] end
users”, but it is disappointing that they chose not to mention the
source of the vulnerability information (our researchers) or that it
was a coordinated disclosure.

Recommendations

It is recommended to ensure that you run an updated Twonky Server
version on your NAS or router devices. In case you need to test
whether your Twonky Server instance is affected – and we recommend you
to do so – you can check the following endpoints. They should not
return a valid response without prior authentication:

http://[host]/rpc/get_all
http://[host]/rpc/get_option?accessuser
http://[host]/rpc/get_option?accesspwd

More information about the BreachExchange mailing list