DreamBox DM800 Arbitrary File Download

2011-06-21T00:00:00
ID PACKETSTORM:102458
Type packetstorm
Reporter ShellVision
Modified 2011-06-21T00:00:00

Description

                                        
                                            `DreamBox DM800 Arbitrary File Download Vulnerability  
  
  
Vendor: Dream Multimedia GmbH  
Product web page: http://www.dream-multimedia-tv.de  
Affected version: DM800 (may affect others version)  
  
Summary: The Dreambox is a series of Linux-powered  
DVB satellite, terrestrial and cable digital television  
receivers (set-top box).  
  
Desc: Dreambox suffers from a file download vulnerability  
thru directory traversal with appending the '/' character  
in the HTTP GET method of the affected host address. The  
attacker can get to sensitive information like paid channel  
keys, usernames, passwords, config and plug-ins info, etc.  
  
By default, web application is running by root, so catch shadow is  
very easy  
  
Tested on:  
  
Devicename: dm800  
Enigma Version: 2009-12-24-master  
Image Version: Release 4.6.0 2009-12-24  
Frontprozessor Version: VNone  
Webinterface Version: 1.6rc3  
  
  
Vulnerability discovered by: ShellVision Designer@ShellVision.com<script type="text/javascript">  
/* <![CDATA[ */  
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();  
/* ]]> */  
</script>  
ShellVision - www.shellvision.com  
  
20 Jun 2011  
  
  
--------------------------------------------------------------------  
  
http://target.com/file?file=/etc/shadow  
  
  
`