Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OpenPLI v3.0 beta (OpenPLi-beta-dm7000-20130127-272) - Multiple Vulnerabilities

🗓️ 14 Feb 2013 00:00:00Reported by m-1-k-3Type 
zdt
 zdt🔗 0day.today👁 28 Views

OpenPLI v3.0 beta Multiple Vulnerabilities, Command Execution, Stored XS

Code
# Exploit Title: Multiple Vulnerabilities in OpenPLI
# Date: 13.02.2013
# Exploit Author: m-1-k-3
# Vendor Homepage: http://openpli.org/
# Software Link: http://openpli.org/
# Version: v3.0 beta (OpenPLi-beta-dm7000-20130127-272) and below
 
Device Name: OpenPLI - Dream Multimedia Box with OpenPLI software
Vendor of device: Dream Multimedia
Vendor of Software: OpenPLI Community
 
============ Device Details: ============
 
Linux Kernel    Linux version 2.6.9 ([email protected]) (gcc version 3.4.4) #1 Wed Aug 17 23:54:07 CEST 2011
Firmware    release 1.1.0, 27.01.2013
FP Firmware 1.06
Web Interface   6.0.4-Expert - PLi edition by [lite]
 
More infos: http://openpli.org/
 
============ Vulnerability Overview: ============
 
* OS Command Execution:
 
    parameter: maxmtu
 
The vulnerability is caused by missing input validation in the maxmtu parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to use Netcat to fully compromise the device.
 
http://Target-IP/cgi-bin/setConfigSettings?maxmtu=%26COMMAND%26&hddstandby=2&hddacoustics=160&timeroffsetstart=0&timeroffsetstop=0&audiochannelspriority=&showsatpos=on&trustedhosts=&epgcachepath=%2Fhdd&epgsqlpath=%2Fvar%2Flib%2Fsqlite
 
It is possible to shorten the URL to the following:
 
http://Target-IP/cgi-bin/setConfigSettings?maxmtu=%26COMMAND%26
 
There is Netcat preinstalled on the device. It is a very small edition of netcat, so you have to play a bit with it but you will get it ;)
 
* stored XSS:
 
Box Control -> Configuration -> Webserver -> User, Password
 
    parameter: AuthUser, AuthPassword
 
Box Control -> Configuration -> Settings
 
    parameter: audiochannelspriority
 
Injecting scripts into the parameter xxx reveals that this parameter is not properly validated for malicious input.
 
============ Solution ============
 
No known solution available.
 
============ Credits ============
 
The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de/advisories
Twitter: @s3cur1ty_de
 
============ Time Line: ============
 
October 2012 - disocovered vulnerability
xx.02.2013 - public release
 
===================== Advisory end =====================

#  0day.today [2018-03-14]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Feb 2013 00:00Current
7.1High risk
Vulners AI Score7.1
openplidream multimedia boxlinux kernelfirmwareweb interfacecommand executionnetcatvulnerabilityxsssolutioncreditsadvisory
28