Uploaded image for project: ' AGL Development'
  1. AGL Development
  2. SPEC-5091

Missing Authorization in mediaplayer

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Audio Manager
    • None
    • Raspberry Pi4
    • Raspberry Pi 4

      The AGL mediaplayer is remotely opening ports without an authentication process,
      allowing any user to connect and freely manipulate the mediaplayer.

      All mediaplayer commands such as playing and stopping music can be controlled,
      and it's even possible to forcibly terminate the mediaplayer.

      I checked it using raspberry pi4.
      I could also see the media player being operated, such as playing and stopping a song, on the screen.

       

      When I send 'kill' command, the mediaplayer is dead.
      The following is the journalctl log.

       

      I think it's similar to CVE-2022-24595 vulnerability.
      (https://nvd.nist.gov/vuln/detail/CVE-2022-24595)

       

      I checked this vulnerability at 16.92.0 version.

        1. 1.png
          1.png
          127 kB
        2. 2.png
          2.png
          65 kB
        3. 3.png
          3.png
          361 kB
        4. 4.png
          4.png
          73 kB
        5. image-2024-02-24-21-41-57-274.png
          image-2024-02-24-21-41-57-274.png
          73 kB
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            scottm Scott Murray
            JonghyukSong Jonghyuk Song
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: