CVE-2022-26505

Vulnerability

A DNS rebinding issue exists in ReadyMedia (formerly MiniDLNA) versions 1.3.0 and below [1][2]. The UPnP HTTP server in upnphttp.c does not properly validate the origin of HTTP requests, allowing a remote attacker to bypass the same-origin policy via DNS rebinding [3]. Affected versions: all releases prior to 1.3.1.

Exploitation

An attacker controls a malicious web server and tricks the victim's browser into visiting it. The attacker uses a domain name whose DNS resolution quickly changes (rebinding) from the attacker's IP to the victim's local IP (e.g., 127.0.0.1) [1][2]. Once the browser's DNS cache switches, the browser sends HTTP requests to the local ReadyMedia server on behalf of the attacker's domain. The attacker can then issue UPnP requests to list and fetch media files [2]. No authentication is required beyond the browser's initial visit to the attacker's site.

Impact

Successful exploitation enables the attacker to enumerate and download all media files shared by ReadyMedia without the user's consent [1][2]. The list of media files is exfiltrated to the attacker's remote server. This results in unauthorized disclosure of sensitive or personal media content (confidentiality breach). No code execution is reported; the impact is information disclosure.

Mitigation

The vulnerability is fixed in ReadyMedia version 1.3.1, which includes a commit that validates HTTP requests to protect against DNS rebinding [3]. Users should upgrade to 1.3.1 or later (e.g., 1.3.3 as noted in Gentoo advisory [4]). No workaround is known for unpatched versions. The fixed commit c212085 modifies upnphttp.c to enforce origin checks [3].