Menu

Improved exploit search engine. Try it out

"Teracue ENC-400 - Command Injection / Missing Authentication"

Author

"Stephen Shkardoon"

Platform

hardware

Release date

2019-02-22

Release Date Title Type Platform Author
2019-05-22 "Carel pCOWeb < B1.2.1 - Credentials Disclosure" webapps hardware Luca.Chiou
2019-05-22 "Carel pCOWeb < B1.2.1 - Cross-Site Scripting" webapps hardware Luca.Chiou
2019-05-22 "AUO Solar Data Recorder < 1.3.0 - 'addr' Cross-Site Scripting" webapps hardware Luca.Chiou
2019-05-21 "TP-LINK TL-WR840N v5 00000005 - Cross-Site Scripting" webapps hardware "purnendu ghosh"
2019-05-14 "D-Link DWL-2600AP - Multiple OS Command Injection" webapps hardware "Raki Ben Hamouda"
2019-05-10 "RICOH SP 4520DN Printer - HTML Injection" webapps hardware "Ismail Tasdelen"
2019-05-10 "RICOH SP 4510DN Printer - HTML Injection" webapps hardware "Ismail Tasdelen"
2019-05-06 "LG Supersign EZ CMS - Remote Code Execution (Metasploit)" remote hardware "Alejandro Fanjul"
2019-05-03 "Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection" webapps hardware "Jacob Baines"
2019-04-30 "Intelbras IWR 3000N 1.5.0 - Cross-Site Request Forgery" webapps hardware "Social Engineering Neo"
2019-04-30 "Intelbras IWR 3000N - Denial of Service (Remote Reboot)" webapps hardware "Social Engineering Neo"
2019-04-30 "Netgear DGN2200 / DGND3700 - Admin Password Disclosure" webapps hardware "Social Engineering Neo"
2019-04-25 "JioFi 4G M2S 1.0.2 - 'mask' Cross-Site Scripting" webapps hardware "Vikas Chaudhary"
2019-04-25 "JioFi 4G M2S 1.0.2 - Denial of Service" dos hardware "Vikas Chaudhary"
2019-04-22 "QNAP myQNAPcloud Connect 1.3.4.0317 - 'Username/Password' Denial of Service" dos hardware "Dino Covotsos"
2019-04-17 "ASUS HG100 - Denial of Service" dos hardware "YinT Wang"
2019-04-16 "Zyxel ZyWall 310 / ZyWall 110 / USG1900 / ATP500 / USG40 - Login Page Cross-Site Scripting" webapps hardware "Aaron Bishop"
2019-04-15 "Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)" remote hardware Metasploit
2019-04-10 "D-Link DI-524 V2.06RU - Multiple Cross-Site Scripting" webapps hardware "Semen Alexandrovich Lyhin"
2019-04-09 "TP-LINK TL-WR940N / TL-WR941ND - Buffer Overflow" remote hardware "Grzegorz Wypych"
2019-04-08 "SaLICru -SLC-20-cube3(5) - HTML Injection" webapps hardware Ramikan
2019-04-03 "Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)" remote hardware Metasploit
2019-04-02 "JioFi 4G M2S 1.0.2 - Cross-Site Request Forgery" webapps hardware "Vikas Chaudhary"
2019-03-20 "PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Request Forgery" webapps hardware "Kumar Saurav"
2019-03-20 "PLC Wireless Router GPN2.4P21-C-CN - Incorrect Access Control" webapps hardware "Kumar Saurav"
2019-03-08 "Sony Playstation 4 (PS4) < 6.20 - WebKit Code Execution (PoC)" local hardware Specter
2019-03-07 "QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)" remote hardware AkkuS
2019-03-04 "Fiberhome AN5506-04-F RP2669 - Persistent Cross-Site Scripting" webapps hardware Tauco
2019-03-04 "Raisecom XPON ISCOMHT803G-U_2.0.0_140521_R4.1.47.002 - Remote Code Execution" webapps hardware JameelNabbo
2019-02-28 "Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow" dos hardware "Artem Metla"
Release Date Title Type Platform Author
2019-02-22 "Teracue ENC-400 - Command Injection / Missing Authentication" webapps hardware "Stephen Shkardoon"
2018-09-14 "Watchguard AP100 AP102 AP200 1.2.9.15 - Remote Code Execution (Metasploit)" webapps linux "Stephen Shkardoon"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46451/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46451/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46451/40909/teracue-enc-400-command-injection-missing-authentication/download/", "exploit_id": "46451", "exploit_description": "\"Teracue ENC-400 - Command Injection / Missing Authentication\"", "exploit_date": "2019-02-22", "exploit_author": "\"Stephen Shkardoon\"", "exploit_type": "webapps", "exploit_platform": "hardware", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
Introduction
============

Multiple vulnerabilities were identified within the Teracue ENC-400,
including pre-authenticated remote code authentication. While the vendor
has released updated firmware after these issues were identified, they are
not all resolved with the latest version of the firmware.

Product
=======

The Teracue ENC-400 is accessible over an HTTP interface, which allows
device configuration (including setting passwords or video stream
destinations and servers). The vendor describes the device as follows:
This HD/SD H.264 fanless video encoder is able to deliver multiple streams
in multiple bitrates and protocols to multiple destinations. [1]

These issues affect firmware versions v2.56 or below.
Note that the latest version of firmware, v2.57, does not adequately
resolve all identified issues. Specific notes have been added to issues in
the Technical Details section.


Technical Details
=================

1) Command injection in login form
----------------------------------
CVE-2018-20218

The login form passes user input directly to a shell command without any
kind of escaping or validation.
In the file /usr/share/www/check.lp:
#!/usr/bin/env cgilua.cgi
<%
local pass = cgilua.POST.password
local com1 = os.execute("echo \'"..cgilua.POST.password.."\' | (su -c
/bin/true)")

An attacker is able to perform command injection using the "password"
parameter displayed on the login form. An example "password" to bypass this
authentication would be:
f' > /dev/null #

It is also possible for an attacker to simply execute code directly on the
server.

* Resolution Status *
While this instance of remote code execution has been resolved, the
resolution does not protect the entire codebase.
In /usr/share/www/web/system_password.lp:
local oldpass = cgilua.POST.oldpass
local newpass = cgilua.POST.newpass
local com1=os.execute("echo '"..oldpass.."' | (su -c 'echo '"..oldpass.."'
| (su root -c '/bin/true') > /dev/null 2>&1 ; echo $?')")

This allows an authenticated user to execute commands without knowing the
existing password. This is particularly important given the insufficient
resolution of CVE-2018-20219 (issue 2).

2) Hard-coded authentication token
----------------------------------
CVE-2018-20219

After successful authentication, the device sends an authentication cookie
to the end user such that they can access the devices web administration
panel. This token is hardcoded to a string in the source code.
In the file /usr/share/www/check.lp:

cookies.sethtml("AuthByPasswdENC400","Teracue:dGFpOfrtmR1bW1thrf5dGV4nhyxxdA==",{path='/'})

(Note: Line may be slightly different in different firmware versions,
though the token is still the same).

By simply setting this cookie in a browser, an attacker is able to maintain
access to every ENC-400 device without knowing the password. Even if a user
changes the password on the device, this token is static and unchanged.
This results in an authentication bypass.

* Resolution Status *
While this cookie is now dynamically generated, the latest code generates
cookie values from the current time in seconds.
In the file /usr/share/www/check.lp:
math.randomseed(os.time())
local cookie_value=RandomVariable(30)

An attacker is able to trivially bypass authentication simply by knowing
the approximate time of the last successful authentication.

2) Missing authentication on sensitive endpoints
---------------------------------------------------------------------------------
CVE-2018-20220

While the web interface requires authentication before it can be interacted
with, a large portion of the HTTP endpoints are missing authentication.
The "/configuration.xml" file, for example, includes all information
required to access a video stream, such as the IP and port information, and
any encryption information if specified.

* Resolution Status *
No verification was performed as to whether this issue was appropriately
resolved, or whether other files may be left unprotected.


Disclosure Timeline
===================

Attempts to contact vendor begin: August 30, 2018
Vendor contacted: September 7, 2018
Vendor acknowledges issues: October 23, 2018
Initial fixes released for testing: December 4, 2018
Response indicating insufficient fixes: December 4, 2018
Public firmware release: February 13, 2019

References
==========

[1] https://www.teracue.com/en/iptv-products/encoding