Twonky Server – Beware What You (Unintentionally) Share
March 16, 2021 • RBS
There is a long story about how we came to examine software called Twonky Server, but it’s not particularly exciting so we’ll skip right over that. Let’s just say, its conspicuous name played a role. But it is our research findings that are far more interesting and important.
Twonky Server is a DLNA / UPnP Media Server from Lynx Technology. According to the vendor, it “enables sharing media content between connected devices” and ”is available as a standalone server (end user installable, e.g. for PCs/Macs) or an embedded server for devices such as NAS, routers/gateways and STBs”.
To get an idea about the vulnerability history of the product, we ran a quick query in VulnDB and noticed a few entries, with the latest ones dating back to 2018.
According to a blog post by modzero from 2018, one of the later vulnerabilities was a path traversal issue that allows to disclose filenames on the system (VulnDB 177763 / CVE-2018-7171). In combination with another vulnerability (VulnDB 177851 / CVE-2018-9148), a remote attacker was able to gain admin access to the Twonky Server web interface.
At the time, it was recommended to protect Twonky Server installation with password authentication to prevent exploitation of the above vulnerabilities. Sharing photos and videos on the Internet is a decision everyone has to make for themselves. However, when it comes to media files that are rather private, authentication is an essential feature for preventing unauthorized access to your data.
Twonky Server allows restricting access to the shared media folders by enabling the ‘Multi User’ mode in the settings tab of the web-based management interface. And to restrict access to the web-based management interface, it requires to set a username and password for the ‘admin’ account.
Looking at the web-based management interface, we noticed an RPC endpoint, which allowed us to query various configuration options. In particular, the following requests returned information about the admin user without the requirement of being authenticated.
While the ‘accessuser’ option contained our configured username for the admin account, the ‘accesspwd’ option did not represent a cleartext password. It didn’t look like a hash value or properly encrypted string, either. Notably, changing the length of our password would result in a change of length of the ‘accesspwd’ value accordingly. This was suspicious enough to warrant a closer look. The algorithm used turned out to be a very weak obfuscation function, which consists of a simple transposition operation that could easily be reversed. This means that if you have the obfuscated string, you can get the cleartext password. We have developed a test script that allows users to determine whether a device is affected by this issue.
This allowed us to gain admin access to affected Twonky Media servers and, among other things, disable the configured user authentication to then access media files that are managed by the server.
As of now, shodan.io returns 7,987 results for a generic search, which is fewer than the 24,000 instances reported in 2018, but still a high number of media servers that may unintentionally be accessible via the Internet. If unpatched, the vulnerabilities described here may allow admin access to the management interface.
The vulnerabilities were reported to the vendor on September 21, 2020, and they released Twonky Server 8.5.2 on March 1, 2021 to address the issues. Customers of our VulnDB solution were informed on March 2nd 2021. The research paper was published on March 16th 2021.
The vendor has been responsive, but unfortunately would not provide us with a list of affected devices. B2B customers were reportedly given sufficient time to deploy the patches to their supported devices. As can be seen in the disclosure timeline, the vendor requested to extend the disclosure date on two occasions, which we agreed to. It is reasonable to let the vendor ensure that the update is distributed to their B2B customers and then be installed by all users of the consumer devices.
The Twonky Server changelog only lists the fixed vulnerabilities as
“fixed password obfuscation and RPC security issues”
We also noticed a press release that actually references the vulnerabilities:
“security update fixes two recently discovered vulnerabilities that otherwise could have been potentially exploited to allow remote attackers to gain admin access to Twonky Server.”
It’s good to hear that the “security updates would benefit [their] end users”, but it is disappointing that they chose not to mention the source of the vulnerability information (our researchers) or that it was a coordinated disclosure.
It is recommended to ensure that you run an updated Twonky Server version on your NAS or router devices. In case you need to test whether your Twonky Server instance is affected – and we recommend you to do so – you can check the following endpoints. They should not return a valid response without prior authentication: