ID CVE-2018-20219 Type cve Reporter cve@mitre.org Modified 2019-03-25T19:53:00
Description
An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. After successful authentication, the device sends an authentication cookie to the end user such that they can access the devices web administration panel. This token is hard-coded to a string in the source code (/usr/share/www/check.lp file). By setting this cookie in a browser, an attacker is able to maintain access to every ENC-400 device without knowing the password, which results in authentication bypass. Even if a user changes the password on the device, this token is static and unchanged.
{"id": "CVE-2018-20219", "bulletinFamily": "NVD", "title": "CVE-2018-20219", "description": "An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. After successful authentication, the device sends an authentication cookie to the end user such that they can access the devices web administration panel. This token is hard-coded to a string in the source code (/usr/share/www/check.lp file). By setting this cookie in a browser, an attacker is able to maintain access to every ENC-400 device without knowing the password, which results in authentication bypass. Even if a user changes the password on the device, this token is static and unchanged.", "published": "2019-03-21T16:00:00", "modified": "2019-03-25T19:53:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20219", "reporter": "cve@mitre.org", "references": ["http://packetstormsecurity.com/files/151802/Teracue-ENC-400-Command-Injection-Missing-Authentication.html", "https://zxsecurity.co.nz/research.html", "http://seclists.org/fulldisclosure/2019/Feb/48"], "cvelist": ["CVE-2018-20219"], "type": "cve", "lastseen": "2020-12-09T20:25:40", "edition": 5, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-32263"]}, {"type": "exploitdb", "idList": ["EDB-ID:46451"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:151802"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1188C008C119CCEFAF747026298C819F"]}], "modified": "2020-12-09T20:25:40", "rev": 2}, "score": {"value": 5.0, "vector": "NONE", "modified": "2020-12-09T20:25:40", "rev": 2}, "vulnersScore": 5.0}, "cpe": ["cpe:/o:teracue:enc-400_hdmi2_firmware:2.56", "cpe:/o:teracue:enc-400_hdmi_firmware:2.56", "cpe:/o:teracue:enc-400_hdsdi_firmware:2.56"], "affectedSoftware": [{"cpeName": "teracue:enc-400_hdmi2_firmware", "name": "teracue enc-400 hdmi2 firmware", "operator": "le", "version": "2.56"}, {"cpeName": "teracue:enc-400_hdmi_firmware", "name": "teracue enc-400 hdmi firmware", "operator": "le", "version": "2.56"}, {"cpeName": "teracue:enc-400_hdsdi_firmware", "name": "teracue enc-400 hdsdi firmware", "operator": "le", "version": "2.56"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "cpe23": ["cpe:2.3:o:teracue:enc-400_hdmi2_firmware:2.56:*:*:*:*:*:*:*", "cpe:2.3:o:teracue:enc-400_hdmi_firmware:2.56:*:*:*:*:*:*:*", "cpe:2.3:o:teracue:enc-400_hdsdi_firmware:2.56:*:*:*:*:*:*:*"], "cwe": ["CWE-798"], "scheme": null, "affectedConfiguration": [{"cpeName": "teracue:enc-400_hdsdi", "name": "teracue enc-400 hdsdi", "operator": "eq", "version": "-"}, {"cpeName": "teracue:enc-400_hdmi2", "name": "teracue enc-400 hdmi2", "operator": "eq", "version": "-"}, {"cpeName": "teracue:enc-400_hdmi", "name": "teracue enc-400 hdmi", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:teracue:enc-400_hdmi2_firmware:2.56:*:*:*:*:*:*:*", "versionEndIncluding": "2.56", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:h:teracue:enc-400_hdmi2:-:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}, {"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:h:teracue:enc-400_hdmi:-:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:teracue:enc-400_hdmi_firmware:2.56:*:*:*:*:*:*:*", "versionEndIncluding": "2.56", "vulnerable": true}], "operator": "OR"}], "operator": "AND"}, {"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:h:teracue:enc-400_hdsdi:-:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:teracue:enc-400_hdsdi_firmware:2.56:*:*:*:*:*:*:*", "versionEndIncluding": "2.56", "vulnerable": true}], "operator": "OR"}], "operator": "AND"}]}}
{"zdt": [{"lastseen": "2019-03-06T00:23:24", "description": "Teracue ENC-400 suffers from hard-coded credential, missing authentication, and command injection vulnerabilities.", "edition": 1, "published": "2019-02-21T00:00:00", "title": "Teracue ENC-400 Command Injection / Missing Authentication Vulnerabilities", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-20220", "CVE-2018-20219"], "modified": "2019-02-21T00:00:00", "id": "1337DAY-ID-32263", "href": "https://0day.today/exploit/description/32263", "sourceData": "Teracue ENC-400 Command Injection / Missing Authentication Vulnerabilities\r\n\r\nIntroduction\r\n============\r\n\r\nMultiple vulnerabilities were identified within the Teracue ENC-400,\r\nincluding pre-authenticated remote code authentication. While the vendor\r\nhas released updated firmware after these issues were identified, they are\r\nnot all resolved with the latest version of the firmware.\r\n\r\nProduct\r\n=======\r\n\r\nThe Teracue ENC-400 is accessible over an HTTP interface, which allows\r\ndevice configuration (including setting passwords or video stream\r\ndestinations and servers). The vendor describes the device as follows:\r\nThis HD/SD H.264 fanless video encoder is able to deliver multiple streams\r\nin multiple bitrates and protocols to multiple destinations. [1]\r\n\r\nThese issues affect firmware versions v2.56 or below.\r\nNote that the latest version of firmware, v2.57, does not adequately\r\nresolve all identified issues. Specific notes have been added to issues in\r\nthe Technical Details section.\r\n\r\n\r\nTechnical Details\r\n=================\r\n\r\n1) Command injection in login form\r\n----------------------------------\r\nCVE-2018-20218\r\n\r\nThe login form passes user input directly to a shell command without any\r\nkind of escaping or validation.\r\nIn the file /usr/share/www/check.lp:\r\n#!/usr/bin/env cgilua.cgi\r\n<%\r\nlocal pass = cgilua.POST.password\r\nlocal com1 = os.execute(\"echo \\'\"..cgilua.POST.password..\"\\' | (su -c\r\n/bin/true)\")\r\n\r\nAn attacker is able to perform command injection using the \"password\"\r\nparameter displayed on the login form. An example \"password\" to bypass this\r\nauthentication would be:\r\nf' > /dev/null #\r\n\r\nIt is also possible for an attacker to simply execute code directly on the\r\nserver.\r\n\r\n* Resolution Status *\r\nWhile this instance of remote code execution has been resolved, the\r\nresolution does not protect the entire codebase.\r\nIn /usr/share/www/web/system_password.lp:\r\nlocal oldpass = cgilua.POST.oldpass\r\nlocal newpass = cgilua.POST.newpass\r\nlocal com1=os.execute(\"echo '\"..oldpass..\"' | (su -c 'echo '\"..oldpass..\"'\r\n| (su root -c '/bin/true') > /dev/null 2>&1 ; echo $?')\")\r\n\r\nThis allows an authenticated user to execute commands without knowing the\r\nexisting password. This is particularly important given the insufficient\r\nresolution of CVE-2018-20219 (issue 2).\r\n\r\n2) Hard-coded authentication token\r\n----------------------------------\r\nCVE-2018-20219\r\n\r\nAfter successful authentication, the device sends an authentication cookie\r\nto the end user such that they can access the devices web administration\r\npanel. This token is hardcoded to a string in the source code.\r\nIn the file /usr/share/www/check.lp:\r\n\r\ncookies.sethtml(\"AuthByPasswdENC400\",\"Teracue:dGFpOfrtmR1bW1thrf5dGV4nhyxxdA==\",{path='/'})\r\n\r\n(Note: Line may be slightly different in different firmware versions,\r\nthough the token is still the same).\r\n\r\nBy simply setting this cookie in a browser, an attacker is able to maintain\r\naccess to every ENC-400 device without knowing the password. Even if a user\r\nchanges the password on the device, this token is static and unchanged.\r\nThis results in an authentication bypass.\r\n\r\n* Resolution Status *\r\nWhile this cookie is now dynamically generated, the latest code generates\r\ncookie values from the current time in seconds.\r\nIn the file /usr/share/www/check.lp:\r\nmath.randomseed(os.time())\r\nlocal cookie_value=RandomVariable(30)\r\n\r\nAn attacker is able to trivially bypass authentication simply by knowing\r\nthe approximate time of the last successful authentication.\r\n\r\n2) Missing authentication on sensitive endpoints\r\n---------------------------------------------------------------------------------\r\nCVE-2018-20220\r\n\r\nWhile the web interface requires authentication before it can be interacted\r\nwith, a large portion of the HTTP endpoints are missing authentication.\r\nThe \"/configuration.xml\" file, for example, includes all information\r\nrequired to access a video stream, such as the IP and port information, and\r\nany encryption information if specified.\r\n\r\n* Resolution Status *\r\nNo verification was performed as to whether this issue was appropriately\r\nresolved, or whether other files may be left unprotected.\r\n\r\n\r\nDisclosure Timeline\r\n===================\r\n\r\nAttempts to contact vendor begin: August 30, 2018\r\nVendor contacted: September 7, 2018\r\nVendor acknowledges issues: October 23, 2018\r\nInitial fixes released for testing: December 4, 2018\r\nResponse indicating insufficient fixes: December 4, 2018\r\nPublic firmware release: February 13, 2019\r\n\r\nReferences\r\n==========\r\n\r\n[1] https://www.teracue.com/en/iptv-products/encoding\n\n# 0day.today [2019-03-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32263"}], "exploitdb": [{"lastseen": "2019-02-22T16:02:28", "description": "", "published": "2019-02-22T00:00:00", "type": "exploitdb", "title": "Teracue ENC-400 - Command Injection / Missing Authentication", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-20220", "CVE-2018-20219", "CVE-2018-20218"], "modified": "2019-02-22T00:00:00", "id": "EDB-ID:46451", "href": "https://www.exploit-db.com/exploits/46451", "sourceData": "Introduction\r\n============\r\n\r\nMultiple vulnerabilities were identified within the Teracue ENC-400,\r\nincluding pre-authenticated remote code authentication. While the vendor\r\nhas released updated firmware after these issues were identified, they are\r\nnot all resolved with the latest version of the firmware.\r\n\r\nProduct\r\n=======\r\n\r\nThe Teracue ENC-400 is accessible over an HTTP interface, which allows\r\ndevice configuration (including setting passwords or video stream\r\ndestinations and servers). The vendor describes the device as follows:\r\nThis HD/SD H.264 fanless video encoder is able to deliver multiple streams\r\nin multiple bitrates and protocols to multiple destinations. [1]\r\n\r\nThese issues affect firmware versions v2.56 or below.\r\nNote that the latest version of firmware, v2.57, does not adequately\r\nresolve all identified issues. Specific notes have been added to issues in\r\nthe Technical Details section.\r\n\r\n\r\nTechnical Details\r\n=================\r\n\r\n1) Command injection in login form\r\n----------------------------------\r\nCVE-2018-20218\r\n\r\nThe login form passes user input directly to a shell command without any\r\nkind of escaping or validation.\r\nIn the file /usr/share/www/check.lp:\r\n#!/usr/bin/env cgilua.cgi\r\n<%\r\nlocal pass = cgilua.POST.password\r\nlocal com1 = os.execute(\"echo \\'\"..cgilua.POST.password..\"\\' | (su -c\r\n/bin/true)\")\r\n\r\nAn attacker is able to perform command injection using the \"password\"\r\nparameter displayed on the login form. An example \"password\" to bypass this\r\nauthentication would be:\r\nf' > /dev/null #\r\n\r\nIt is also possible for an attacker to simply execute code directly on the\r\nserver.\r\n\r\n* Resolution Status *\r\nWhile this instance of remote code execution has been resolved, the\r\nresolution does not protect the entire codebase.\r\nIn /usr/share/www/web/system_password.lp:\r\nlocal oldpass = cgilua.POST.oldpass\r\nlocal newpass = cgilua.POST.newpass\r\nlocal com1=os.execute(\"echo '\"..oldpass..\"' | (su -c 'echo '\"..oldpass..\"'\r\n| (su root -c '/bin/true') > /dev/null 2>&1 ; echo $?')\")\r\n\r\nThis allows an authenticated user to execute commands without knowing the\r\nexisting password. This is particularly important given the insufficient\r\nresolution of CVE-2018-20219 (issue 2).\r\n\r\n2) Hard-coded authentication token\r\n----------------------------------\r\nCVE-2018-20219\r\n\r\nAfter successful authentication, the device sends an authentication cookie\r\nto the end user such that they can access the devices web administration\r\npanel. This token is hardcoded to a string in the source code.\r\nIn the file /usr/share/www/check.lp:\r\n\r\ncookies.sethtml(\"AuthByPasswdENC400\",\"Teracue:dGFpOfrtmR1bW1thrf5dGV4nhyxxdA==\",{path='/'})\r\n\r\n(Note: Line may be slightly different in different firmware versions,\r\nthough the token is still the same).\r\n\r\nBy simply setting this cookie in a browser, an attacker is able to maintain\r\naccess to every ENC-400 device without knowing the password. Even if a user\r\nchanges the password on the device, this token is static and unchanged.\r\nThis results in an authentication bypass.\r\n\r\n* Resolution Status *\r\nWhile this cookie is now dynamically generated, the latest code generates\r\ncookie values from the current time in seconds.\r\nIn the file /usr/share/www/check.lp:\r\nmath.randomseed(os.time())\r\nlocal cookie_value=RandomVariable(30)\r\n\r\nAn attacker is able to trivially bypass authentication simply by knowing\r\nthe approximate time of the last successful authentication.\r\n\r\n2) Missing authentication on sensitive endpoints\r\n---------------------------------------------------------------------------------\r\nCVE-2018-20220\r\n\r\nWhile the web interface requires authentication before it can be interacted\r\nwith, a large portion of the HTTP endpoints are missing authentication.\r\nThe \"/configuration.xml\" file, for example, includes all information\r\nrequired to access a video stream, such as the IP and port information, and\r\nany encryption information if specified.\r\n\r\n* Resolution Status *\r\nNo verification was performed as to whether this issue was appropriately\r\nresolved, or whether other files may be left unprotected.\r\n\r\n\r\nDisclosure Timeline\r\n===================\r\n\r\nAttempts to contact vendor begin: August 30, 2018\r\nVendor contacted: September 7, 2018\r\nVendor acknowledges issues: October 23, 2018\r\nInitial fixes released for testing: December 4, 2018\r\nResponse indicating insufficient fixes: December 4, 2018\r\nPublic firmware release: February 13, 2019\r\n\r\nReferences\r\n==========\r\n\r\n[1] https://www.teracue.com/en/iptv-products/encoding", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46451"}], "packetstorm": [{"lastseen": "2019-02-22T10:53:56", "description": "", "published": "2019-02-20T00:00:00", "type": "packetstorm", "title": "Teracue ENC-400 Command Injection / Missing Authentication", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-20220", "CVE-2018-20218", "CVE-2018-20219"], "modified": "2019-02-20T00:00:00", "id": "PACKETSTORM:151802", "href": "https://packetstormsecurity.com/files/151802/Teracue-ENC-400-Command-Injection-Missing-Authentication.html", "sourceData": "` \n \nIntroduction \n============ \n \nMultiple vulnerabilities were identified within the Teracue ENC-400, \nincluding pre-authenticated remote code authentication. While the vendor \nhas released updated firmware after these issues were identified, they are \nnot all resolved with the latest version of the firmware. \n \nProduct \n======= \n \nThe Teracue ENC-400 is accessible over an HTTP interface, which allows \ndevice configuration (including setting passwords or video stream \ndestinations and servers). The vendor describes the device as follows: \nThis HD/SD H.264 fanless video encoder is able to deliver multiple streams \nin multiple bitrates and protocols to multiple destinations. [1] \n \nThese issues affect firmware versions v2.56 or below. \nNote that the latest version of firmware, v2.57, does not adequately \nresolve all identified issues. Specific notes have been added to issues in \nthe Technical Details section. \n \n \nTechnical Details \n================= \n \n1) Command injection in login form \n---------------------------------- \nCVE-2018-20218 \n \nThe login form passes user input directly to a shell command without any \nkind of escaping or validation. \nIn the file /usr/share/www/check.lp: \n#!/usr/bin/env cgilua.cgi \n<% \nlocal pass = cgilua.POST.password \nlocal com1 = os.execute(\"echo \\'\"..cgilua.POST.password..\"\\' | (su -c \n/bin/true)\") \n \nAn attacker is able to perform command injection using the \"password\" \nparameter displayed on the login form. An example \"password\" to bypass this \nauthentication would be: \nf' > /dev/null # \n \nIt is also possible for an attacker to simply execute code directly on the \nserver. \n \n* Resolution Status * \nWhile this instance of remote code execution has been resolved, the \nresolution does not protect the entire codebase. \nIn /usr/share/www/web/system_password.lp: \nlocal oldpass = cgilua.POST.oldpass \nlocal newpass = cgilua.POST.newpass \nlocal com1=os.execute(\"echo '\"..oldpass..\"' | (su -c 'echo '\"..oldpass..\"' \n| (su root -c '/bin/true') > /dev/null 2>&1 ; echo $?')\") \n \nThis allows an authenticated user to execute commands without knowing the \nexisting password. This is particularly important given the insufficient \nresolution of CVE-2018-20219 (issue 2). \n \n2) Hard-coded authentication token \n---------------------------------- \nCVE-2018-20219 \n \nAfter successful authentication, the device sends an authentication cookie \nto the end user such that they can access the devices web administration \npanel. This token is hardcoded to a string in the source code. \nIn the file /usr/share/www/check.lp: \n \ncookies.sethtml(\"AuthByPasswdENC400\",\"Teracue:dGFpOfrtmR1bW1thrf5dGV4nhyxxdA==\",{path='/'}) \n \n(Note: Line may be slightly different in different firmware versions, \nthough the token is still the same). \n \nBy simply setting this cookie in a browser, an attacker is able to maintain \naccess to every ENC-400 device without knowing the password. Even if a user \nchanges the password on the device, this token is static and unchanged. \nThis results in an authentication bypass. \n \n* Resolution Status * \nWhile this cookie is now dynamically generated, the latest code generates \ncookie values from the current time in seconds. \nIn the file /usr/share/www/check.lp: \nmath.randomseed(os.time()) \nlocal cookie_value=RandomVariable(30) \n \nAn attacker is able to trivially bypass authentication simply by knowing \nthe approximate time of the last successful authentication. \n \n2) Missing authentication on sensitive endpoints \n--------------------------------------------------------------------------------- \nCVE-2018-20220 \n \nWhile the web interface requires authentication before it can be interacted \nwith, a large portion of the HTTP endpoints are missing authentication. \nThe \"/configuration.xml\" file, for example, includes all information \nrequired to access a video stream, such as the IP and port information, and \nany encryption information if specified. \n \n* Resolution Status * \nNo verification was performed as to whether this issue was appropriately \nresolved, or whether other files may be left unprotected. \n \n \nDisclosure Timeline \n=================== \n \nAttempts to contact vendor begin: August 30, 2018 \nVendor contacted: September 7, 2018 \nVendor acknowledges issues: October 23, 2018 \nInitial fixes released for testing: December 4, 2018 \nResponse indicating insufficient fixes: December 4, 2018 \nPublic firmware release: February 13, 2019 \n \nReferences \n========== \n \n[1] https://www.teracue.com/en/iptv-products/encoding \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/151802/teracueenc400-execbypass.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:51", "description": "\nTeracue ENC-400 - Command Injection Missing Authentication", "edition": 1, "published": "2019-02-22T00:00:00", "title": "Teracue ENC-400 - Command Injection Missing Authentication", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-20220", "CVE-2018-20218", "CVE-2018-20219"], "modified": "2019-02-22T00:00:00", "id": "EXPLOITPACK:1188C008C119CCEFAF747026298C819F", "href": "", "sourceData": "Introduction\n============\n\nMultiple vulnerabilities were identified within the Teracue ENC-400,\nincluding pre-authenticated remote code authentication. While the vendor\nhas released updated firmware after these issues were identified, they are\nnot all resolved with the latest version of the firmware.\n\nProduct\n=======\n\nThe Teracue ENC-400 is accessible over an HTTP interface, which allows\ndevice configuration (including setting passwords or video stream\ndestinations and servers). The vendor describes the device as follows:\nThis HD/SD H.264 fanless video encoder is able to deliver multiple streams\nin multiple bitrates and protocols to multiple destinations. [1]\n\nThese issues affect firmware versions v2.56 or below.\nNote that the latest version of firmware, v2.57, does not adequately\nresolve all identified issues. Specific notes have been added to issues in\nthe Technical Details section.\n\n\nTechnical Details\n=================\n\n1) Command injection in login form\n----------------------------------\nCVE-2018-20218\n\nThe login form passes user input directly to a shell command without any\nkind of escaping or validation.\nIn the file /usr/share/www/check.lp:\n#!/usr/bin/env cgilua.cgi\n<%\nlocal pass = cgilua.POST.password\nlocal com1 = os.execute(\"echo \\'\"..cgilua.POST.password..\"\\' | (su -c\n/bin/true)\")\n\nAn attacker is able to perform command injection using the \"password\"\nparameter displayed on the login form. An example \"password\" to bypass this\nauthentication would be:\nf' > /dev/null #\n\nIt is also possible for an attacker to simply execute code directly on the\nserver.\n\n* Resolution Status *\nWhile this instance of remote code execution has been resolved, the\nresolution does not protect the entire codebase.\nIn /usr/share/www/web/system_password.lp:\nlocal oldpass = cgilua.POST.oldpass\nlocal newpass = cgilua.POST.newpass\nlocal com1=os.execute(\"echo '\"..oldpass..\"' | (su -c 'echo '\"..oldpass..\"'\n| (su root -c '/bin/true') > /dev/null 2>&1 ; echo $?')\")\n\nThis allows an authenticated user to execute commands without knowing the\nexisting password. This is particularly important given the insufficient\nresolution of CVE-2018-20219 (issue 2).\n\n2) Hard-coded authentication token\n----------------------------------\nCVE-2018-20219\n\nAfter successful authentication, the device sends an authentication cookie\nto the end user such that they can access the devices web administration\npanel. This token is hardcoded to a string in the source code.\nIn the file /usr/share/www/check.lp:\n\ncookies.sethtml(\"AuthByPasswdENC400\",\"Teracue:dGFpOfrtmR1bW1thrf5dGV4nhyxxdA==\",{path='/'})\n\n(Note: Line may be slightly different in different firmware versions,\nthough the token is still the same).\n\nBy simply setting this cookie in a browser, an attacker is able to maintain\naccess to every ENC-400 device without knowing the password. Even if a user\nchanges the password on the device, this token is static and unchanged.\nThis results in an authentication bypass.\n\n* Resolution Status *\nWhile this cookie is now dynamically generated, the latest code generates\ncookie values from the current time in seconds.\nIn the file /usr/share/www/check.lp:\nmath.randomseed(os.time())\nlocal cookie_value=RandomVariable(30)\n\nAn attacker is able to trivially bypass authentication simply by knowing\nthe approximate time of the last successful authentication.\n\n2) Missing authentication on sensitive endpoints\n---------------------------------------------------------------------------------\nCVE-2018-20220\n\nWhile the web interface requires authentication before it can be interacted\nwith, a large portion of the HTTP endpoints are missing authentication.\nThe \"/configuration.xml\" file, for example, includes all information\nrequired to access a video stream, such as the IP and port information, and\nany encryption information if specified.\n\n* Resolution Status *\nNo verification was performed as to whether this issue was appropriately\nresolved, or whether other files may be left unprotected.\n\n\nDisclosure Timeline\n===================\n\nAttempts to contact vendor begin: August 30, 2018\nVendor contacted: September 7, 2018\nVendor acknowledges issues: October 23, 2018\nInitial fixes released for testing: December 4, 2018\nResponse indicating insufficient fixes: December 4, 2018\nPublic firmware release: February 13, 2019\n\nReferences\n==========\n\n[1] https://www.teracue.com/en/iptv-products/encoding", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
